ASA5540 Logging Issues.

Unanswered Question
Oct 1st, 2010
/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

I have some network monitoring servers that are using snmp/icmp to monitor devices on the network.  The icmp functions are not used but can not be turned off on the application so are blocked on the firewall.  This is filling the logs on the ASA with icmp denied messages.

The FW acl has 2 lines which log traffic deny tcp any any log informational interval 300 and deny udp any any log informational interval 300, both at the end of the ACL just before the implicit deny.  Neither of which i believe should log icmp traffic.  In case I am wrong I added an additional line denying icmp from the servers to the network above those lines with no log statement.  Packet-tracer confirms icmp is being block by this deny statement.  The acl is also showing about 40K hits on the line blocking icmp.

Yet the logs on the ASA still show icmp packet being denied between the servers and network devices.  Is there some other service running that is logging, is it more likely I should check my ACL's again, am I doing something wrong or are there any bugs that could affect this?  Bit stuck with this one, any help would be appreciated.

FW-PRI/act# show ver
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.0(3)
Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"
FW-PRI up 1 year 83 days
failover cluster up 1 year 83 days
Hardware:   ASA5540, 1024 MB RAM, CPU Pentium 4 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Fri, 10/01/2010 - 05:04

The syslog# that is being logged by the "log" keyword on the ACL is syslog# 106100:

The ICMP denied messages is probably logged under syslog# 106023:

If that is correct, you can turn off logging for syslog# 106023 as follows:

no logging message 106023

That would disable logging for syslog# 106023

Hope that helps.

ihatelogin Mon, 10/04/2010 - 02:42

Thank you for the replies, if I understand this correctly the logging is automatic and can only be turned off globally.  I can only turn it off for certain subnets as we know why that is occuring and we cant turn it off on the application, anything else would occur the wrath of change control.  Is there anyway to just turn it off for these submits?

praprama Mon, 10/04/2010 - 05:36


Unfirtunately, that can not be done. One thing you can do to throttle the rate at which msges are generated for that subnet alone is to use an access-list entry with the log keyword. For details on this command, please refer the below link:

So for example, you want to throttle pings only to subnet, you can add an access-list entry as below:

access-list ACL deny icmp any log 7 interval 1000

access-group ACL in interface outside

So what the above does is it produces syslog ID 106100 at an interval of 1000 seconds specifying how many times this access-list entry has been hit in the past 100 seconds. You can specify an interval as required. For details about this syslog, please refer the below link:

Please note that i have just given a sample ACL config above. Ensure to add this access-list entry to the corresponding ACL on the right interface as per your requirement.

Let me know how it goes!!

Thanks and Regards,


praprama Tue, 10/05/2010 - 08:45


Did you manage to test the above? If there are not further queries, please do mark this post as answered



praprama Fri, 10/01/2010 - 05:11


Those logs will come up by default as and when traffic is denied by the firewall. If you do not want the deny ICMP logs to fill up the logs, you can disable that particular syslogs using the command:

no logigng message <MESSAGE_id>

The MESSAGE_id is the number you see on the syslogs. For details on the command, please refer the below:

let me know if this helps!




This Discussion