ASA 5520 - Syslog and Tacacs generate ping response?

Unanswered Question
Mar 21st, 2012
User Badges:

Hi;


I'm trying to configure an ASA firewall (FW2) for syslog and tacacs and am experiencing strange behavior.  Both the syslog and ACS server are on the inside of another firewall (CoreFW).  Whenever a log message is generated on FW2 the request is dropped by CoreFW and message '%ASA-4-313004: Denied ICMP type=0, from laddr FW2 on interface outside-b2b to syslog01: no matching session' is displayed.  The same thing occurs for tacacs.


It appears that the syslog and ACS requests are generating ICMP echo replies, which the core firewall drops since no session exists on a lower security interface.  I have access lists configured on CoreFW to allow the syslog and tacacs requests.


FW2 is running asa825-k8.bin, CoreFW is asa824-k8.bin


I'm baffled!  Please pass along any suggestions.


Thanks, Glenn

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mirober2 Tue, 03/27/2012 - 06:20
User Badges:
  • Cisco Employee,

Hi Glenn,


The ASA should not generate echo replies unless there was a corresponding echo request. Likewise, logging and AAA functions do not use ICMP echos.


I would suggest setting up a capture on FW2's interface that faces the syslog/ACS server and see what that shows:


FW2# capture cap1 interface match ip any host

FW2# show capture cap1


You can also check the output of 'debug icmp trace' to see if/why the ASA is generating the echo reply.


-Mike

Actions

This Discussion

Related Content