Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 5520 - Syslog and Tacacs generate ping response?


I'm trying to configure an ASA firewall (FW2) for syslog and tacacs and am experiencing strange behavior.  Both the syslog and ACS server are on the inside of another firewall (CoreFW).  Whenever a log message is generated on FW2 the request is dropped by CoreFW and message '%ASA-4-313004: Denied ICMP type=0, from laddr FW2 on interface outside-b2b to syslog01: no matching session' is displayed.  The same thing occurs for tacacs.

It appears that the syslog and ACS requests are generating ICMP echo replies, which the core firewall drops since no session exists on a lower security interface.  I have access lists configured on CoreFW to allow the syslog and tacacs requests.

FW2 is running asa825-k8.bin, CoreFW is asa824-k8.bin

I'm baffled!  Please pass along any suggestions.

Thanks, Glenn

Everyone's tags (1)
Cisco Employee

ASA 5520 - Syslog and Tacacs generate ping response?

Hi Glenn,

The ASA should not generate echo replies unless there was a corresponding echo request. Likewise, logging and AAA functions do not use ICMP echos.

I would suggest setting up a capture on FW2's interface that faces the syslog/ACS server and see what that shows:

FW2# capture cap1 interface match ip any host

FW2# show capture cap1

You can also check the output of 'debug icmp trace' to see if/why the ASA is generating the echo reply.


CreatePlease to create content