cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8057
Views
0
Helpful
12
Replies

ASA debug removed when closing session

ggr.support
Level 1
Level 1

Hi Guys,

I am trying to enable some debug on an ASA5510 running 8.2(1) and want this debug sent to a syslog server in a test environment. My current config is below -

logging enable
logging list test-ssh message 711001
logging buffer-size 10000
logging console warnings
logging monitor warnings
logging buffered debugging
logging trap test-ssh
logging asdm warnings
logging host inside X.X.X.X
logging debug-trace

At the moment I am just testing this by trapping message 711001 (debug). This all works when I enter the command 'debug ssh' and the messages get sent to my syslog server. If I do a 'show debug'  it shows -

ciscoasa# sh deb
debug ssh  enabled at level 255

The problem I am having is that as soon as I close my SSH session the debug command is completely removed and hence I stop receiving syslog. If I connect to the ASA again and do a 'show debug' there is nothing enabled.

Is there a way to enable a debug command permanently so that I can continue to receive the syslog message once the SSH session has been closed.


Regards,

Paul.

12 Replies 12

Hi,

You're saying that you do the command:

sh debug

And you see this:

debug ssh  enabled at level 255

And when you close the SSH session it goes away?

Sh debug shows nothing?

Question:

When you close the SSH session how do log in to the ASA? Do you have other connection or you connect back in?

Federico.

Hi,

I am closing the SSH session, I have no other active open sessions and then I start a new SSH session to connect back in.

When I now do a sh debug it shows nothing  -

ciscoasa# sh deb
ciscoasa#

Thanks,

Paul.

I just did it as a test and I got the same result!

Do you still get the debug log on the syslog server?

Federico.

Hi,

No, the debug output on the syslog server stops as soon as I close my session.

Paul.

Are you getting this message on the ASA:

ASA(config)# debug ssh
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session
debug ssh  enabled at level 1

Federico.

Yes -

ciscoasa# deb ssh
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session
debug ssh  enabled at level 1
ciscoasa#

Just to make sure I have also removed my message filter in case this was causing an issue. My config is now -

ciscoasa# sh run logging
logging enable
logging buffer-size 10000
logging console warnings
logging monitor warnings
logging buffered debugging
logging trap debugging
logging asdm warnings
logging host inside X.X.X.X
logging debug-trace
logging permit-hostdown

Paul.

Actually if you remove all logging commands:

clear config log

You got the same results.

This not only happens with the debug ssh correct?

For example if you configure any other debug as well, the same thing happens correct?

Federico.

Correct, if I configure any type of debug and then close the session the debug is removed. I have not been able to find any information about this as to whether it is expected behaviour or if there is a way around it.

Paul.

It seems the debugs are session specific.

It means that is expected behavior that disconnecting from an SSH session you no longer see the debug enabled.

The thing is that the logging debug-trace should keep sending the debugs to the syslog server.

Can you confirm that those messages are logged to the syslog server, but they stop appearing on the syslog server after disconnecting the SSH session?

Federico.

Yes the debug messages are logged to the syslog server but as soon as I disconnect my SSH session I stop receiving the debug.

Paul.

I have just opened a case with Cisco TAC to enquire about this and they have confirmed it is currently expected behaviour that debug is session based. As soon as you close your session onto an ASA all debug from your session is removed.

In case it helps or anyone is interested, Cisco have a bug open to add this as a feature enhancement in future code - CSCse30168

Regards,

Paul.

Hi, in case someone would need to keep a debug active for a while, there is a workaround: set the anti-idle feature in your SSH client.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: