06-05-2011 11:36 PM - edited 03-11-2019 01:42 PM
Hi,
I’m trying to capture a traffic from host 10.10.10.10 to host 192.168.1.10.
One thing that I still don’t understand is why firewall command “show log” and syslog server doesn’t capture any packet but when I did a packet capture, I can see the packet?
"show log" doesn't capture any network traffic from 10.10.10.10 to 192.168.1.10
asafw# sh log | i 10.10.10.10 | i 192.168.1.10
Jun 06 2011 06:05:24 172.27.157.78 : %ASA-5-111008: User 'admin' executed the 'access-list capin permit ip host 10.10.10.10 host 192.168.1.10' command.
Jun 06 2011 06:07:04 172.27.157.78 : %ASA-5-111008: User 'admin' executed the 'access-list cap-fail permit ip host 10.10.10.10 host 192.168.1.10' command.
asafw#
syslog also doesn't capture any network traffic from 10.10.10.10 to 192.168.1.10
syslog{admin}: tail -f logfile | grep asafw | grep 10.10.10.10 | grep 192.168.1.10
But when I do a packet capture, I can see the traffic. Is there any reason why “sh log” command and syslog unable to capture specific network traffic from host 10.10.10.10 to host 192.168.1.10?
asafw# sh access-list cap-fail
access-list cap-fail; 2 elements
access-list cap-fail line 1 extended permit ip host 10.10.10.10 host 192.168.1.10 (hitcnt=146) 0x11576850
access-list cap-fail line 2 extended permit ip host 192.168.1.10 host 10.10.10.10 (hitcnt=146) 0x9e07e800
asafw# sh cap
capture cap-fail type raw-data access-list cap-fail packet-length 54 interface dmz [Capturing - 8540 bytes]asafw# sh cap cap-fail
1043 packets captured
1: 06:10:10.039472 10.10.10.10 > 192.168.1.10: icmp: echo request
2: 06:10:10.062389 192.168.1.10 > 10.10.10.10: icmp: echo reply
3: 06:10:11.039518 10.10.10.10 > 192.168.1.10: icmp: echo request
4: 06:10:11.061550 192.168.1.10 > 10.10.10.10: icmp: echo reply
5: 06:10:12.039518 10.10.10.10 > 192.168.1.10: icmp: echo request
6: 06:10:12.061245 192.168.1.10 > 10.10.10.10: icmp: echo reply
7: 06:10:13.039533 10.10.10.10 > 192.168.1.10: icmp: echo request
8: 06:10:13.061657 192.168.1.10 > 10.10.10.10: icmp: echo reply
9: 06:10:14.039533 10.10.10.10 > 192.168.1.10: icmp: echo request
10: 06:10:14.061672 192.168.1.10 > 10.10.10.10: icmp: echo reply
06-05-2011 11:58 PM
Hi Adam,
Are any syslog messages turned off on the ASA? At what level have you enabled the syslogging? Could you please post the output of "sh run | i logging" here? There is a known bug regarding this in ASA version 7.2. Take a look:
Was this working before?
Regards,
Anu
06-06-2011 12:50 AM
Thanks Anu for your prompt reply. Btw, this is ASA ver 8.0(5). Log message looks ok and it is able to capture other message as you can see below.
But I don't know why it can't capture a traffic from 10.10.10.10 or 192.168.1.10 while packet capture is able to capture this traffic.
asafw# sh log | i 192.168.1.10
Jun 06 2011 06:07:04 172.27.157.78 : %ASA-5-111008: User 'admin' executed the 'access-list cap-fail permit ip host 10.10.10.10 host 192.168.1.10' command.
Jun 06 2011 06:07:05 172.27.157.78 : %ASA-5-111008: User 'admin' executed the 'access-list cap-fail permit ip host 192.168.1.10 host 10.10.10.10' command.
asafw#
Here is the show log output
asafw# sh log
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level notifications, 1754250 messages logged
Trap logging: level informational, facility 20, 20772961 messages logged
Logging to inside 172.16.10.10 errors: 181 dropped: 1007
Logging to inside 172.16.10.11 errors: 86 dropped: 336
History logging: level notifications, 1754250 messages logged
Device ID: 'inside' interface IP address "172.16.100.100"
Mail logging: disabled
ASDM logging: level informational, 20772961 messages logged
bound TCP connection denied from host-10.10.180.50/606 to host-10.10.180.49/515 flags SYN on interface outside
Jun 05 2011 05:07:14 10.10.157.78 : %ASA-2-106001: Inbound TCP connection denied from host-10.10.180.50/606 to host-10.10.180.49/515 flags SYN on interface outside
Jun 05 2011 05:07:16 10.10.157.78 : %ASA-2-106001: Inbound TCP connection denied from host-10.10.180.50/606 to host-10.10.180.49/515 flags RST on interface outside
Jun 05 2011 05:08:16 10.10.157.78 : %ASA-2-106001: Inbound TCP connection denied from host-10.10.180.50/605 to host-10.10.180.49/515 flags SYN on interface outside
Jun 05 2011 05:08:19 10.10.157.78 : %ASA-2-106001: Inbound TCP connection denied from host-10.10.180.50/605 to host-10.10.180.49/515 flags SYN on interface outside
Jun 05 2011 05:08:21 10.10.157.78 : %ASA-2-106001: Inbound TCP connection denied from host-10.10.180.50/605 to host-10.10.180.49/515 flags RST on interface outside
Jun 05 2011 05:09:21 10.10.157.78 : %ASA-2-106001: Inbound TCP connection denied from host-10.10.180.50/604 to host-10.10.180.49/515 flags SYN on interface outside
Jun 05 2011 05:09:24 10.10.157.78 : %ASA-2-106001: Inbound TCP connection denied from host-10.10.180.50/604 to host-10.10.180.49/515 flags SYN on interface outside
06-06-2011 01:06 AM
Hi Adam,
I see that the level is set to notifications(level 5) for buffered logging. Could you increase the level to be debugging and test if you see logs in the buffer?
logging buffered 7
logging on
clear logging buffer
sh log
Let me know.
Regards,
Anu
06-07-2011 07:39 AM
Even if you have debug level syslogs enabled, you won't see logs for your ICMP traffic unless you enable the ICMP inspection.
Thanks,
Brendan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide