02-06-2011 10:41 PM - edited 03-11-2019 12:45 PM
Hi,
I have a deny acl configured on my Inside Interface with Debug logging enabled and when l view the logging console within the ASDM set to debugging l do not see any entries for this acl ??
It is recieving hits on the acl but does not show any entries in the log ??
Interface Inside
ACL
172.16.4.189 any http deny debugging
Device is a Cisco ASA 5520 , ASDM 6.2(1) and ASA Version 8.2(1)
Any assistance would be greatly appreciated
Solved! Go to Solution.
 
					
				
		
02-07-2011 03:29 PM
Thanks for the output, that explains why it is not showing you.
You have the following command to disable syslog# 106100 which is what you are after:
no logging message 106100
To reenable logging of syslog# 106100:
logging message 106100
Secondly, your ASDM is only configured with "warnings" (level 4) syslog, while your access-list log is logged under "informational" (level 6), that's why it's not showing up as well. Please modify the logging level for your ASDM to level 6 (informational) as follows:
logging asdm informational
Hope that helps.
 
					
				
		
02-06-2011 10:58 PM
You should be able to see syslog# 106100 in the logs and it has logging level 6 (informational):
http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769049
However, even without the "log" keyword on access-list entry, it will be logged under syslog# 106023:
http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769021
What logging level have you configured for ASDM logs? as you can configure different logging level for different logs, it might be the ASDM logs are not configured at logging level 6.
Also, did you modify the logging level on the actual access-list? By default, if you only have the "log" keyword at the end of the access-list, it is set to logging level 6 (information). However, if you set the value to debugging (level 7), then you would also need to enable logging level 7 for ASDM logs.
 
					
				
		
02-06-2011 11:02 PM
Oh, and also for syslog# 106100, if you don't specify the interval to generate the syslog message, by default it is every 300 seconds, so it is a possibility that you might have missed the first one.
Here is more information on the access-list with log and the interval for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1559450
02-06-2011 11:06 PM
I have modified the logging level on the ASDM and the acl to information and
no entries are displaying ?? Only hits against the acl !!
Not to sure if its something to do with the interface itself ??
The information logs are only showing accessed url and built session logs and only this concurrent deny message of :
Deny inbound protocol 89 on the management interface to 224.0.0.5 ??
There is no other deny entries at all ??
 
					
				
		
02-06-2011 11:10 PM
Ahhh... so those are multicast deny. Are you actually running multicast routing protocol? because passing through multicast in routed mode is not supported unless the ASA is in transparent mode.
02-06-2011 11:21 PM
yeah those multicast messages are fine.. But l just
dont know why other deny messages from within our internal network are not displaying in the logs ??
Messages that should be generated off the "inside" interface are not showing !!!
I modified the specific deny acl to a time range of 1 second but this did not generate anything ??
 
					
				
		
02-06-2011 11:24 PM
Can you please share the actual configuration line of access-list, as well as the output of "show run log". Thanks.
02-06-2011 11:30 PM
 
					
				
		
02-06-2011 11:33 PM
Can you please share the CLI output as advised earlier, ie: both the ACL line as well as the output of "sh run log". Thanks.
Screenshot unfortunately does not show us the complete config.
 
					
				
		
02-06-2011 11:34 PM
And are you also continually sending HTTP traffic from 172.16.4.189 to different destinations?
02-06-2011 11:46 PM
Hi Jennifer just left work will get this to you same time tommorrow !! Thanks for your assistance
Simon Galloway
Systems Administrator
ICT Dept , ACMI , Fedsquare
LAN - 0386632308
MOB - 0412233109
02-07-2011 06:14 AM
Your interface ACL should look like this:
access-l ANY deny icmp any any log informational
That example shows the sintax with the log option.
Make sure you have that at the end of the ACL and like Jennifer said it would be good to see the sh run logg and your ACLs.
02-07-2011 03:22 PM
Here is the acl for this specific traffic that l am trying to test with
the deny rule and also below is the "sh run log" output .. Hopefully you can suggest something that will help me start viewing inside interface log messages
access-list inbound_inside line 7 extended deny tcp host 172.16.4.189 any eq www log informational interval 1
attached is the full Inside Interface ACL List with the above acl on Line 7
firewall# sh run log
logging enable
logging timestamp
logging buffered errors
logging trap warnings
logging history errors
logging asdm warnings
logging mail alerts
logging from-address firewall@acmi.net.au
logging recipient-address simon.galloway@acmi.net.au level errors
logging host inside 172.16.28.32
logging debug-trace
logging permit-hostdown
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
02-07-2011 03:24 PM
Also a note on my previous post the Sh run log output in the ASDM currently says warnings but l have been testing my modifying this to informational with no luck !!!
02-07-2011 03:31 PM
Hi,
I think l have resolved this by the output of the sh run log which was displaying what logs were disabled !! I will enabled the ones you requested and let you know if this has resolved it !!
SG
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide