cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
275
Views
10
Helpful
5
Replies
Contributor

Why does Real-Time monitor not show all denied traffic?

So many times when I know for sure something is blocked via ACL on the ASA, I don't see denied logs when that same applicable traffic is attempting to pass through the ASA and am wondering why. Logging is configured for such see below. Any help guys/gals?

 

sh logg
Syslog logging: enabled
Facility: 17
Timestamp logging: enabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: level debugging, 1203550847 messages logged
Buffer logging: level informational, 1158404665 messages logged

 

5 REPLIES 5
VIP Advisor

Re: Why does Real-Time monitor not show all denied traffic?

can you post 

 

show running-config logging

BB
*** Rate All Helpful Responses ***

Re: Why does Real-Time monitor not show all denied traffic?

Does your ACL statement has "log" at the end of your syntax?  In other words, is logging enabled on your deny rule?

Contributor

Re: Why does Real-Time monitor not show all denied traffic?

Yes it has log at end of statement. I though Real-time viewer will show all traffic passing through any of your interfaces on the FW?

Contributor

Re: Why does Real-Time monitor not show all denied traffic?

Here you go.

 

ASA# sh running-config logging
logging enable
logging timestamp
logging buffer-size 16384
logging asdm-buffer-size 300
logging monitor debugging
logging buffered informational
logging trap notifications
logging asdm debugging
logging facility 17
logging queue 2048
logging device-id hostname
logging host management X.X.X.X
logging host management X.X.X.X
logging host management X.X.X.X
logging host management X.X.X.X
logging host management X.X.X.X
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
logging rate-limit 1000 2 level 1
logging rate-limit 1000 2 level 2
logging rate-limit 500 2 level 4
logging rate-limit 500 2 level 5
logging rate-limit 1000 2 level 6
logging rate-limit 500 2 level 7

Highlighted

Re: Why does Real-Time monitor not show all denied traffic?

You may not see logs if the permit rule is before the deny rule with logging.  Alternatively, you may use ASA features such as packet tracer and packet capture.  Be careful when using packet capture considering it can be CPU intensive.