Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
810
Views
0
Helpful
5
Replies

ASA5540 Logging Issues.

ihatelogin
Level 1
Level 1

‎10-01-2010 04:41 AM - edited ‎03-11-2019 11:48 AM

I have some network monitoring servers that are using snmp/icmp to monitor devices on the network.  The icmp functions are not used but can not be turned off on the application so are blocked on the firewall.  This is filling the logs on the ASA with icmp denied messages.

The FW acl has 2 lines which log traffic deny tcp any any log informational interval 300 and deny udp any any log informational interval 300, both at the end of the ACL just before the implicit deny.  Neither of which i believe should log icmp traffic.  In case I am wrong I added an additional line denying icmp from the servers to the network above those lines with no log statement.  Packet-tracer confirms icmp is being block by this deny statement.  The acl is also showing about 40K hits on the line blocking icmp.

Yet the logs on the ASA still show icmp packet being denied between the servers and network devices.  Is there some other service running that is logging, is it more likely I should check my ACL's again, am I doing something wrong or are there any bugs that could affect this?  Bit stuck with this one, any help would be appreciated.

FW-PRI/act# show ver
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.0(3)
Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"
FW-PRI up 1 year 83 days
failover cluster up 1 year 83 days
Hardware:   ASA5540, 1024 MB RAM, CPU Pentium 4 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Labels:
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-01-2010 05:04 AM

The syslog# that is being logged by the "log" keyword on the ACL is syslog# 106100:

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4769049

The ICMP denied messages is probably logged under syslog# 106023:

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4769021

If that is correct, you can turn off logging for syslog# 106023 as follows:

no logging message 106023

That would disable logging for syslog# 106023

Hope that helps.

0 Helpful

ihatelogin
Level 1
Level 1
In response to Jennifer Halim

‎10-04-2010 02:42 AM

Thank you for the replies, if I understand this correctly the logging is automatic and can only be turned off globally.  I can only turn it off for certain subnets as we know why that is occuring and we cant turn it off on the application, anything else would occur the wrath of change control.  Is there anyway to just turn it off for these submits?

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to ihatelogin

‎10-04-2010 05:36 AM

Hi,

Unfirtunately, that can not be done. One thing you can do to throttle the rate at which msges are generated for that subnet alone is to use an access-list entry with the log keyword. For details on this command, please refer the below link:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1541842

So for example, you want to throttle pings only to subnet 10.1.1.0/24, you can add an access-list entry as below:

access-list ACL deny icmp any 10.1.1.0 255.255.255.0 log 7 interval 1000

access-group ACL in interface outside

So what the above does is it produces syslog ID 106100 at an interval of 1000 seconds specifying how many times this access-list entry has been hit in the past 100 seconds. You can specify an interval as required. For details about this syslog, please refer the below link:

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4769049

Please note that i have just given a sample ACL config above. Ensure to add this access-list entry to the corresponding ACL on the right interface as per your requirement.

Let me know how it goes!!

Thanks and Regards,

Prapanch

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to ihatelogin

‎10-05-2010 08:45 AM

Hi,

Did you manage to test the above? If there are not further queries, please do mark this post as answered

Regards,

Prapanch

0 Helpful

praprama
Cisco Employee
Cisco Employee

‎10-01-2010 05:11 AM

Hi,

Those logs will come up by default as and when traffic is denied by the firewall. If you do not want the deny ICMP logs to fill up the logs, you can disable that particular syslogs using the command:

no logigng message <MESSAGE_id>

The MESSAGE_id is the number you see on the syslogs. For details on the command, please refer the below:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/l2.html#wp1752247

let me know if this helps!

Regards,

Prapanch

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card