Solved: >WARNING: configured logging

stefan.radovanovici · ‎10-15-2010

Hi All,

I have a small problem regarding ASA and syslogs. I have a site-to-site tunnel between a local ASA and a remote ASA. Behind the local ASA I have a central syslog server (which does not have the ASA as a default gateway) which collects messages from all network devices and I want it to get the messages from the remote ASA as well.

The tunnel protects traffic between the local networks behind each ASA, which includes the remote ASA Inside interface as well. The problem is that if I specify on the remote ASA my syslog server it does not go through the VPN tunnel. The remote ASA sees my syslog server as being "outside" so then it uses the outside IP address as source-interface for the syslog message. Which of course does not go through the tunnel. As far as I can tell there is no way to configure the source interface for logging on the ASA, as you can do on a normal IOS router.

I found some documents explaining this setup on CCO but they all suggest that I extend the access-list for the interesting traffic to allow UDP/514 traffic from the remote PIX outside interface to my local syslog server. This is not something that I want to do as I would get into routing complication in my local network with public IP address of the remote ASA.

Any suggestions ? I thought I could use some sort of NAT on the remote ASA so that all traffic for my local network sourced by the remote PIX is translated to the inside interface, which in theory should make the packet go via the tunnel. I didn't manage so far.

Any help is appreciated.

Best regards,

Stefan

Panos Kampanakis · ‎10-15-2010

You can define the interface the ASA is going to use to send the logs "logging host syslog_ip".

Make sure you also do "management-access ".

Then the ASA should source the syslogs from the inside interface which is probably encrypted with the crypto ACL.

I hope it helps.

PK

View solution in original post

Panos Kampanakis · ‎10-15-2010

You can define the interface the ASA is going to use to send the logs "logging host syslog_ip".

Make sure you also do "management-access ".

Then the ASA should source the syslogs from the inside interface which is probably encrypted with the crypto ACL.

I hope it helps.

PK

stefan.radovanovici · ‎10-15-2010

That is not really true, the interface mentioned in the "logging host " command only tells the ASA where the syslog server resides, not what source interface to use to contact the syslog server.

I am gonna give the management-access command a try though, thanks for the suggestion.

Regards,

Stefan

SAM MUNZANI · ‎02-15-2015

I have it working for 10 sites.

logging host inside x.x.x.x <= Where x.x.x.x is your syslog server IP across VPN

management-access inside

Hope this helps.

stefan.radovanovici · ‎10-18-2010

Just an update to my problem. Configuring the inside interface as "managament-access" didn't help.

Trying to understand the problem I kept reading the info on CCO about the "logging host" command on the ASA and according to the explanation, the interface name is where the syslog server resides:

interface_name

Specifies the interface on which the syslog server resides.

Which in my case would be the Outside, i.e. behind the VPN. So logically the command should be "logging host outside ". As a last effort, I tried to use the "logging host inside " command which according to the explanation on CCO, would mean my syslog server is behind the inside interface. However, the syslogs suddenly started to work so it would seem that the "logging host " command on the ASA would indeed specify the source interface. Which would make the explanation on CCO slightly wrong or at least very confusing.

In any case, now it works. Thanks!

Regards,

Stefan

Panos Kampanakis · ‎10-18-2010

Yup, you need the management-access command, and the host inside for the logging. The doc is right because it refers what the command in general. But for VPN it slightly different, the ASA knows that inside to your server is going to be encrypted, so even though the command says inside it send over the VPN. Practically the other VPN endpoint side is your inside also, so that is the idea behind it.

I am glad it is solved now.

PK

SAM MUNZANI · ‎02-10-2014

Did you try your self and does it work? I am able to poll remote ASA over the tunnel using management-access inside command. However I get warning message when doing logging command.

See below.

ASA(config)# sh run | in management

management-access inside

ASA(config)# sh run | in snmp-ser

snmp-server host inside 172.24.100.98 community *****

admin@Mgmt01:~$ snmpwalk -c dummy -v 2c 192.168.175.1

iso.3.6.1.2.1.1.1.0 = STRING: "Cisco Adaptive Security Appliance Version 8.4(7)"

iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.9.1.745

iso.3.6.1.2.1.1.3.0 = Timeticks: (39904100) 4 days, 14:50:41.00

However I get warning message for the logging:

ASA(config)# logging host inside 172.24.100.98

WARNING: configured logging host interface conflicts with route table entry

ASA(config)#

I am troubleshooting log server to see if the syslog messages come through on otherend of not.

Brian Dean · ‎08-11-2017

>WARNING: configured logging host interface conflicts with route table entry

I was also having this issue and treated this warning message as "this won't work". I ignored the message and it worked :)

l-mathews · ‎10-31-2014

I am having the same issue. Can you post your "working" configuration

for sending syslogs to a syslog server over vpn tunnel?

Thanks

ASA Syslog via a VPN Tunnel