Re: Management interface 5525-x not accepting syslog message 106100

arnert · ‎08-24-2017

Apparently the management interface on the 5525-x doesn’t support syslog. After 2 1 month(s) working on the problem, it works normally on the inside nic of the ASA. (TAC and myself have tried everything it's safe to say)

The DOD has STIG compliance requirements for any clear text logging to be done over the management interface of any Firewall on any relevant .gov or DOD networks. Since there are literally thousands of PIX/ASA machines in use on these internetworks. I am at a loss to understand.

(Security Technical Implementation Guide (STIG): is a cybersecurity methodology for standardizing security protocols within networks, servers, computers, and logical designs to enhance overall security. These (NIST) guides, when implemented, enhance security for software, hardware, physical and logical architectures to further reduce vulnerabilities)

Why won’t it work with this default 106100 message type? Is it rate limited in the IOS under the hood? There is connection limiting on the ASA. It is a restricted interface and I believe it may be only rated at 100Meg. Could this be by design?

Any PIX experts out there have any idea? Fully functional OOB nic is required. Should I just re-purpose another hardware port?SR 682749016 Thanks in advance.

Maykol Rojas · ‎08-24-2017

Hello;

So only message 106100 is not being logged when sending syslog through the management interface?

Mike

arnert · ‎08-24-2017

Correct. To be clear, at a point in time (May 17) these messages were being output thru the OOB int. Some how the system stopped forwarding them.

106100 messages are used for auditing, so really in our case we are focused on that. 106100 seems to be a high network output message type. Hope this makes sense. Syslog is not my strong suite. thanks!

Maykol Rojas · ‎08-24-2017

Hello;

If you do a show access-list, (not sh run access list), are you able to see a logging interval?

Mike.

Mike

arnert · ‎08-24-2017

Everything is set to default 300 seconds. I have tried just about everything. Need a bug case opened.

arnert · ‎08-24-2017

Check that - Most, a majority of the access-lists do not display the default interval, when displaying the show access-list command. No they don't!

Maykol Rojas · ‎08-24-2017

Hi;

If they don't have the log keyword they are not going to show the interval. All of them if they have the log, should have the 300 Seconds interval. Can you either add one line or change the interval to 1?

If you have a global rate limit lower than the one configured on the ACL itself, the one on the ACE will take over.

Mike.

Mike

arnert · ‎09-05-2017

An update this is a limitation - What happens is that from version 9.5 and later, the management interface uses a different routing table, which is not the same one the ASA uses for normal route-lookup. This causes different logs to be lost- Further

Check the following bug, CSCve61651: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve61651. The issue this bug describes is similar, just that instead having a Syslog server, the syslogs are sent to a SMTP-Server as email alerts. I would like to clarify that this bug is not describing a software defect, but a limitation of the ASA; so this behavior is expected when you configure Syslog servers on the management interface; different syslogs (not only 106100) will be lost.