Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1077
Views
17
Helpful
6
Replies

Syslog ID 852001 & 852002

Chess Norris
Level 4
Level 4

‎01-23-2023 06:39 AM

Hello,

I recently observed our FTD is getting flooded with  lots of Syslog ID 852001 & 852002 messages.

It basically hundreds of those messages every minute (example below)

Jan 23 2023 02:51:59: %FTD-6-852002: Received Full Proxy to Lightweight event from application Snort for TCP flow 10.199.254.162/27607 to 10.10.1.94/47873
Jan 23 2023 02:51:59: %FTD-6-852001: Received Lightweight to full proxy event from application Snort for TCP flow 10.14.38.1/27789 to 10.20.8.146/8726
Jan 23 2023 02:51:59: %FTD-6-852002: Received Full Proxy to Lightweight event from application Snort for TCP flow 10.14.38.1/27789 to 10.20.8.146/8726
Jan 23 2023 02:52:04: %FTD-6-852001: Received Lightweight to full proxy event from application Snort for TCP flow 10.14.38.1/34260 to 10.10.1.101/8726

I've read the explanation here

https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs10.html#id_122205 

but it's a bit vague and we dont have any SSL policys and I just started to noticed those messages recently.


Does anyone have an idea on what might trigger those messages?


There is also not possible to filter out those specifik syslog ID's due to a bug, which makes it even more frustrating

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx37329 

Thanks

/Chess

 

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-23-2023 07:02 AM

I haven't come across it but, given the BugID you cited, I'd encourage you to open a TAC case.

Work on ENH (enhancement) bugs gets prioritized that way.

Chess Norris
Level 4
Level 4
In response to Marvin Rhoads

‎01-24-2023 11:33 PM - edited ‎01-24-2023 11:33 PM

Thanks. I'll open a case with TAC and see what they say.

/Chess

0 Helpful

MHM Cisco World
VIP
VIP

‎01-25-2023 05:08 AM

I will check this Syslog message today.

Chess Norris
Level 4
Level 4

‎03-24-2023 05:22 AM - edited ‎03-24-2023 05:29 AM

TAC raised the severity for the issue about not beeing able to rate limit those syslog IDs and just replied and told be that this should be fixed in version 7.4, which will most likely will be released in April. The issue is not only with those specific IDs, but rather for all syslog IDs over 805003 (In the range 805003 - 8300006) 

 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe68840  

/Chess

MHM Cisco World
VIP
VIP
In response to Chess Norris

‎03-24-2023 05:26 AM

Thanks alot for your update 

0 Helpful

adamgerber
Level 1
Level 1
In response to Chess Norris

‎06-28-2023 11:50 PM

Thank you for this - hope this gets fixed in 7.4.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card