cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1044
Views
0
Helpful
1
Replies

ASA syslogs sent over a VPN tunnel (L2L)

I'm trying to send syslog to a syslog-server through an L2L ipsec tunnel. The tunnel is up but the logging host does not work. I've done a tcpdump on the syslog-server and don't see any messages coming from the remote peer.  The full configuration for the remote peer is attached.  Thanks in advance for your help.


I followed this guideline:

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116171-qanda-asa-00.html


asa180# sh run | i logg
banner login All activities performed on this device are logged and monitored.
logging enable
logging timestamp
logging list CUSTOMLOGLIST level debugging class sys
logging list VPN-USER level notifications
logging list VPN-USER message 746012
logging list VPN-USER message 722051
logging list VPN-USER message 746013
logging list VPN-USER message 113019
logging list VPN-USER message 315011
logging list VPN-USER message 104024-105999
logging list VPN-USER message 611101
logging list VPN-USER message 605005
logging list VPN-USER message 302013
logging list VPN-USER message 316001
logging list VPN-USER message 751018
logging list VPN-USER message 113404
logging list VPN-USER message 113033
logging list VPN-USER message 716058
logging list VPN-USER message 716059
logging list VPN-USER message 716060
logging list VPN-USER message 716001
logging list VPN-USER message 716002
logging list VPN-USER message 722022
logging list VPN-USER message 722023
logging list VPN-USER message 713119
logging list VPN-USER message 713049
logging list VPN-USER message 313001
logging buffer-size 32767
logging monitor debugging
logging buffered VPN-USER
logging trap VPN-USER
logging history warnings
logging asdm informational
logging host inside 192.168.168.228 format emblem

 

asa180# sh run | i manage
management-access inside

 

asa180# sh log
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: level debugging, 5987707 messages logged
Buffer logging: list VPN-USER, 106517 messages logged
Trap logging: list VPN-USER, facility 20, 106516 messages logged
Logging to inside 192.168.168.228 (EMBLEM format)
Permit-hostdown logging: disabled
History logging: level warnings, 680 messages logged
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 1328141 messages logged
4.87.27.2/53291)

 

asa180# sh cry isakmp sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 2.2.2.92
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

There are no IKEv2 SAs

 

asa180# sh cry ipsec sa
interface: outside
Crypto map tag: CMAP, seq num: 20, local addr: 1.1.1.2

access-list LAN_Traffic_200 extended permit ip 192.168.180.0 255.255.255.0 192.168.168.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.180.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.168.0/255.255.255.0/0/0)
current_peer: 2.2.2.92


#pkts encaps: 29541, #pkts encrypt: 29541, #pkts digest: 29541
#pkts decaps: 25695, #pkts decrypt: 25695, #pkts verify: 25695
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 29541, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 1.1.1.2/0, remote crypto endpt.: 2.2.2.92/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 2758177C
current inbound spi : 59A3B02B

inbound esp sas:
spi: 0x59A3B02B (1503899691)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 573440, crypto-map: CMAP
sa timing: remaining key lifetime (kB/sec): (4372091/17936)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x2758177C (660084604)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 573440, crypto-map: CMAP
sa timing: remaining key lifetime (kB/sec): (4359088/17936)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

asa180#

 

SYSLOG-SERVER ------------------------------------------------

[syslog-server@client_logs]# ip addr | grep 192
inet 192.168.168.228/24 brd 192.168.168.255 scope global noprefixroute enp0s3


[syslog-server@client_logs]# ping 192.168.180.3
PING 192.168.180.3 (192.168.180.3) 56(84) bytes of data.
64 bytes from 192.168.180.3: icmp_seq=1 ttl=128 time=124 ms
64 bytes from 192.168.180.3: icmp_seq=2 ttl=128 time=129 ms
64 bytes from 192.168.180.3: icmp_seq=3 ttl=128 time=127 ms
64 bytes from 192.168.180.3: icmp_seq=4 ttl=128 time=126 ms
^C
[syslog-server@client_logs]#

1 Reply 1

I found this but it didn't work: https://community.cisco.com/t5/other-security-subjects/can-asa-send-it-s-syslogs-over-it-s-own-ipsec-tunnel/td-p/621554
"You will not need the 'same-security-traffic permit intra-interface' command -- the syslog traffic is being source from the ASA itself -- the syslog traffic is not being sourced 'from an interface'."

Review Cisco Networking for a $25 gift card