Hi Varun,

Thanks for coming back .... here's the two outputs you asked for.

I've previoulsy tried disabling as much logging as possible (e.g. only to ASDM) but nothing seems to have any effect.
You will see the two specific syslog IDs that I disabled after reading another post somewhere, but don't think this is relevant to our situation. (I think I saw another post suggesting a further four or five similar IDs to turn off as well, but not got round to that yet.)

Could really do with getting this sorted as it's causing me loads of stress from the site admins, who keep reminding me that their previous Linux-based firewall "never had all these problems" - I am fighting for credibility here

byasa01# sh run logging
logging enable
logging console informational
logging buffered informational
logging trap informational
logging asdm informational
logging host inside 192.168.20.50
no logging message 304002
no logging message 304001

byasa01# show access-list | include cache
access-list cached ACL log flows: total 100, denied 0 (deny-flow-max 4096)
byasa01#

Hi Simon,

I can understand what you are fighting against, but the real time log viewer is a convinient tool but not the best method i would say. The ASA also has to prioritize tasks to manage everything, the priority for it is inspecting traffic and logging is not a pririty task for it. If you're firewall is generating high amount of traffic then I would expect there might e some delay, although we can use bare minimum things to reduce this delay.

I would suggest you disable the following logging first:

logging console informational

logging buffered informational

logging asdm informational

and then, reduce the time interval of the acl log as well, for that lets take an example that, you are logging the following acl:

access-list outside_in deny ip any any log interval 1

make the interval as 1sec, whihc means it would send the log after every 1 sec, default is 300.

and also can you provide this:

show logging queue

show logging message.

Thanks,

Varun

Disabled logging as suggested, requested outputs below:-

byasa01# sh logging queue

        Logging Queue length limit : 512 msg(s)
        14307737 msg(s) discarded due to queue overflow
        0 msg(s) discarded due to memory allocation failure
        Current 0 msg on queue, 512 msgs most on queue

byasa01# sh logging mess
byasa01# sh logging message
syslog 304002: default-level notifications (disabled)
syslog 304001: default-level notifications (disabled)

Not tried changing the ACL log interval yet as running out of time for today, but will try it over the weekend if I get time.

Appreciate prompt repsonses, thanks

Simon

You can see it here:

14307737 msg(s) discarded due to queue overflow

which means its quite a busy firewall

let me know how it goes, i am on the forum this weekend.

Thanks,

Varun

Thanks once again.

While your statement about a busy firewall and the number of discarded messages makes sense in some respects, I'd appreciate a bit of an insight as to "what" is so busy.

This is a relatively small site - maybe 100 users - but with a proportionately high throughput to be honest - but do these numbers suggest a lot of stuff hitting the firewall and being rejected, hence blocking / delaying real traffic ?

Wouldn't mind a subjective opinion if you can spare some time.

Thanks

Simon