Can the ASA 'sla monitor' log state changes to the log buffer?!

Unanswered Question
Aug 29th, 2010

Questions:  Does anyone know if "sla monitor" can log its state  changes?  If not now, is it planned in a future release?

Background:  Since version 7.2(1), the ASA firewall has a "sla monitor" feature to monitor the availability of remote IP addresses, eg

  sla monitor 10
   type echo protocol ipIcmpEcho 10.1.10.1 interface outside
   num-packets 3
   frequency 10
  sla monitor schedule 10 life forever start-time now

which can then be applied to make routing changes (using "track" to add/remove) routes, eg:

  route outside 0.0.0.0 0.0.0.0 10.1.1.1 1 track 1
  route outsid2 0.0.0.0 0.0.0.0 10.2.2.2 250

The running state can be manually seen with:

  anyASAfirewall# show sla monitor operational-state
  Entry number: 10
  ...

  Latest operation return code: OK
  ...

Other than debug commands, the state changes are not logged, nor does there appear any respective logging commands.

The ability for sla monitor to log state changes would be a very useful feature, particularly in determining when *all* events occured and action was taken.

Thanks in advance

Jason

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
praprama Sun, 08/29/2010 - 21:33

Hi,

I think the below is what you are looking for:

http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp3741861

You can also look at the below link:

http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi?action=search&locale=en&index=all&query=ASA-6-622001&counter=0&paging=5&links=reference&sa=Submit

You can look at the below document for all the logs that are produced when tacking succeeds and when it fails:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml#debug

Let me know if this helps. All the best!!

Regards,

Prapanch

j.irwin Sun, 08/29/2010 - 22:50

Thanks Nagaraja and Prapanch,

I am already familiar these links; to be clear, none make mention of non-debug logging, nor any specific sla log commands.

However, I can confirm (even on version 8.0) that the Nagaraja's 622001 events do get logged *without debug enabled*.

Aug 30 2010 14:58:27: %ASA-6-622001: Removing tracked route 0.0.0.0 0.0.0.0 10.1.1.1, distance 1, table Default-IP-Routing-Table, on interface outside
...
Aug 30 2010 14:58:27: %ASA-6-622001: Adding tracked route 0.0.0.0 0.0.0.0 10.1.1.1, distance 1, table Default-IP-Routing-Table, on interface outside

Hence these logs are available without any extra commands (from the original post).

The catch is these log events are type 6, which requires the very verbose:

  logging buffered informational

So in most production environments these logs will quickly expire when the log wraps, even with a megabyte of local logs:

  logging buffer-size 1048576

Regards,

Jason

praprama Sun, 08/29/2010 - 23:20

Hi,

Just to clarify a thing here. Any message starting with the format of %PIX/ASA-x-yyyyyy is a syslog message and will not require any debugs to be run on the device. The link with the configuration example for SLA monitoring shows all logs produced when the tracking succeeds and when the tracking fails.

Regarding the syslog like below:

%PIX-6-622001: Removing tracked route 0.0.0.0 0.0.0.0 10.200.159.1,  
               distance 1, table Default-IP-Routing-Table, on interface
               outside

If you do not want to enable buffered logging at level 6, you can change the default level of this message to something higher using the below command:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/l2_72.html#wp1689570


So for example, if you would like to enable logging at level 3(errors) but still want the syslog id 622001 to be logged, you can change the level of this
command to errors using:

logging message 622001 level 3

Once this is done, you should see this message being logged at level 3 in the buffer. Hope this helps:

Regards,
Prapanch

Nagaraja Thanthry Sun, 08/29/2010 - 23:21

Hello,

If you do not want to log at level 6, you can change the message level.

logging message 622001 level 3

This command will force the ASA to log 622001 at level 3. You can also

configure SNMP logging or mail logging for this specific event (although

mail logging is not very efficient).

Hope this works for you.

Regards,

NT

Actions

This Discussion

Related Content