05-18-2017 07:04 AM - edited 03-10-2019 12:49 AM
A recently deployed ASA 5516 with basic configuration is logging a ton of %ASA-7-725011 syslog messages .
Here is the specifics to the device:
--------
Cisco Adaptive Security Appliance Software Version 9.6(2)13
Device Manager Version 7.6(1)
Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
Internal ATA Compact Flash, 7168MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB
--------
Here are a sample of the logs:
May 18 2017 08:42:53: %ASA-7-725011: Cipher[1] : ECDHE-RSA-AES256-GCM-SHA384
May 18 2017 08:42:53: %ASA-7-725011: Cipher[2] : ECDHE-ECDSA-AES256-GCM-SHA384
May 18 2017 08:42:53: %ASA-7-725011: Cipher[3] : ECDHE-RSA-AES256-SHA384
May 18 2017 08:42:53: %ASA-7-725011: Cipher[4] : ECDHE-ECDSA-AES256-SHA384
May 18 2017 08:42:53: %ASA-7-725011: Cipher[5] : ECDHE-RSA-AES256-SHA
May 18 2017 08:42:53: %ASA-7-725011: Cipher[6] : ECDHE-ECDSA-AES256-SHA
May 18 2017 08:42:53: %ASA-7-725011: Cipher[7] : DH-DSS-AES256-GCM-SHA384
May 18 2017 08:42:53: %ASA-7-725011: Cipher[8] : DHE-DSS-AES256-GCM-SHA384
May 18 2017 08:42:53: %ASA-7-725011: Cipher[9] : DH-RSA-AES256-GCM-SHA384
May 18 2017 08:42:53: %ASA-7-725011: Cipher[10] : DHE-RSA-AES256-GCM-SHA384
May 18 2017 08:42:53: %ASA-7-725011: Cipher[11] : DHE-RSA-AES256-SHA256
May 18 2017 08:42:53: %ASA-7-725011: Cipher[12] : DHE-DSS-AES256-SHA256
May 18 2017 08:42:53: %ASA-7-725011: Cipher[13] : DH-RSA-AES256-SHA256
May 18 2017 08:42:53: %ASA-7-725011: Cipher[14] : DH-DSS-AES256-SHA256
May 18 2017 08:42:53: %ASA-7-725011: Cipher[15] : DHE-RSA-AES256-SHA
May 18 2017 08:42:53: %ASA-7-725011: Cipher[16] : DHE-DSS-AES256-SHA
May 18 2017 08:42:53: %ASA-7-725011: Cipher[17] : DH-RSA-AES256-SHA
May 18 2017 08:42:53: %ASA-7-725011: Cipher[18] : DH-DSS-AES256-SHA
May 18 2017 08:42:53: %ASA-7-725011: Cipher[19] : DHE-RSA-CAMELLIA256-SHA
May 18 2017 08:42:53: %ASA-7-725011: Cipher[20] : DHE-DSS-CAMELLIA256-SHA
May 18 2017 08:42:53: %ASA-7-725011: Cipher[21] : DH-RSA-CAMELLIA256-SHA
May 18 2017 08:42:53: %ASA-7-725011: Cipher[22] : DH-DSS-CAMELLIA256-SHA
May 18 2017 08:42:53: %ASA-7-725011: Cipher[23] : ADH-AES256-GCM-SHA384
May 18 2017 08:42:53: %ASA-7-725011: Cipher[24] : ADH-AES256-SHA256
May 18 2017 08:42:53: %ASA-7-725011: Cipher[25] : ADH-AES256-SHA
May 18 2017 08:42:53: %ASA-7-725011: Cipher[26] : ADH-CAMELLIA256-SHA
May 18 2017 08:42:53: %ASA-7-725011: Cipher[27] : AES256-GCM-SHA384
May 18 2017 08:42:53: %ASA-7-725011: Cipher[28] : AES256-SHA256
May 18 2017 08:42:53: %ASA-7-725011: Cipher[29] : AES256-SHA
May 18 2017 08:42:53: %ASA-7-725011: Cipher[30] : CAMELLIA256-SHA
May 18 2017 08:42:53: %ASA-7-725011: Cipher[31] : ECDHE-ECDSA-AES128-GCM-SHA256
May 18 2017 08:42:53: %ASA-7-725011: Cipher[32] : ECDHE-RSA-AES128-SHA256
May 18 2017 08:42:53: %ASA-7-725011: Cipher[33] : ECDHE-ECDSA-AES128-SHA256
May 18 2017 08:42:53: %ASA-7-725011: Cipher[34] : ECDHE-ECDSA-AES128-SHA
--------------------------
How to fix this issue? The device is already deployed and live.
Thanks
Solved! Go to Solution.
05-19-2017 08:57 PM
Those three lines with "logging class" are definitely unnecessary and causing the large number of messages. (Although I would expect the last "no logging" command to eliminate the 725011 message.)
I've configured dozens of factory fresh ASAs and never seen one with such customization in the favtory default configuration.
I would just substitute those 4 lines with "logging buffered informational" to be consistent with what's appropriate for most production environments. The only time I vary from that are when I am troubleshooting.
If there is a policy, legal or regulatory reason to capture more logs then it should be done via an external syslog server and the "logging trap <log level>" command along with "logging host <address>" command.
05-18-2017 08:33 AM
It's a severity 7 debug log message. You should not have logging configured at the debug level uinless you are actively debugging your ASA. When you do have it on, it is to capture message such as that one (among many others).
You can set the logging level separately for ASDM, the on-device buffer and any external syslog server. As an example, here is what I use:
logging asdm notifications
logging buffered notifications
logging trap warnings
If you for some reason really really want to keep overall logging at the debug level but just want to remove that message then it can be disabled as follows:
no logging message 725011
05-18-2017 08:50 AM
Thanks but..... Here is my logging config - Doesn't seem like ASDM debuging is enabled - In fact the output of command "sh logging asdm" does not include the 725011, so it seems to me the source of these logs is something else.
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: class auth svc ssl, 43105 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 7933395 messages logged
05-18-2017 08:59 PM
The line
Buffer logging: class auth svc ssl, 43105 messages logged
...indicates the logging buffered settings have been customized.
Please see "show run logging" output to see the customization.
05-19-2017 08:59 AM
Yes - I think that is the case - How is it possible that a brand new ASA has customized logging buffered setting (?) - Here is the output you requested. Thank you
#show run logging
logging enable
logging timestamp
logging buffer-size 52428800
logging asdm informational
logging class auth buffered debugging
logging class svc buffered debugging
logging class ssl buffered debugging
no logging message 725011
05-19-2017 08:57 PM
Those three lines with "logging class" are definitely unnecessary and causing the large number of messages. (Although I would expect the last "no logging" command to eliminate the 725011 message.)
I've configured dozens of factory fresh ASAs and never seen one with such customization in the favtory default configuration.
I would just substitute those 4 lines with "logging buffered informational" to be consistent with what's appropriate for most production environments. The only time I vary from that are when I am troubleshooting.
If there is a policy, legal or regulatory reason to capture more logs then it should be done via an external syslog server and the "logging trap <log level>" command along with "logging host <address>" command.
05-23-2017 06:16 AM
Agreed. Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide