cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6808
Views
6
Helpful
11
Replies

ASA Email logging issue

d3mb0y555
Level 1
Level 1

I have an ASA 5520 that I am trying to configure to send email alerts to my exchange account. I have all the proper information and I 've configured what I think to be the necessary parts but I still do not receive emails from the firewall. Any help?

logging enable
logging timestamp
logging standby
logging list LOGGING level informational
logging console emergencies
logging monitor critical
logging buffered informational
logging trap critical
logging history errors
logging asdm warnings
logging mail errors
logging from-address x.x.x@x.x.x.x
logging recipient-address x.x.x@x.x.x.x level errors
logging facility 23
logging queue 1000
logging host inside CISCOWKS
logging host inside x.x.x.x
logging host inside x.x.x.x
logging host inside x.x.x.x
logging debug-trace
no logging message 106015
no logging message 106011
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 302016

smtp-server x.x.x.x

1 Accepted Solution

Accepted Solutions

Ok. You are correct I do see bi-directional traffic. That rules the firewall out.

Check the e-mail server logs, even viewer, smtp-server logs and see if shows any indication of receiving rejecting these e-mails.

Wireshark capture on the server to see what it is doing with the packets that it receives.

-KS

View solution in original post

11 Replies 11

Hi,

Are you getting logs on the syslog servers configured?

Is just the e-mail alert that is not getting to your e-mail account?

If so, are the from & recipient e-mail addresses sending and receiving any e-mail (properly configured)?

Cheers,

Federico.

The send and receive email addresses are properly configured. The sysl

og server, however, I can not confirm at the moment if it is receiving syslog messages.

But right now my email account is not receiving logs.

Could you try this pls.

conf t

loggin message 111008 level 3


exit

write mem

Now, see if you receive the message via e-mail. You are only logging error level to mail and there may not be many that are generated.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/l2.html#wp1751895

hostname(config)# logging mail critical

hostname(config)# logging from-address ciscosecurityappliance@example.com

hostname(config)# logging recipient-address admin@example.com

hostname(config)# smtp-server pri-smtp-host sec-smtp-host

-KS

KS,

I tried that but to no avail. Here's the current config now.

logging enable
logging timestamp
logging standby
logging list LOGGING level informational
logging console emergencies
logging monitor critical
logging buffered informational
logging trap critical
logging history errors
logging asdm warnings
logging mail critical
logging from-address admin@example.com

logging recipient-address admin@example.com level informational
logging recipient-address admin@example.com level errors
logging recipient-address admin@example.com level errors
logging facility 23
logging queue 1000
logging host inside CISCOWKS
logging host inside x.x.x.x
logging host inside x.x.x.x
logging host inside x.x.x.x
logging debug-trace
no logging message 106015
no logging message 106011
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 302016
logging message 111008 level errors

Now your logging mail shows critical. It showed errors before.

change it to errors pls.

conf t

loggin mail errors

Issue a wri mem and see if it sends you the 111009 syslog via e-mail.

-KS

KS,

I just made that change but still no email. Any other suggestions?

Arshad

Is the e-mail server accessible from the ASA itself?

Are the e-mail getting to the e-mail server and just not getting to your e-mail account?

You can try a capture to see if the ASA is sending e-mails to the server:

access-list 101 permit ip host IP_of_the_ASA host IP_of_the_e-mail_server
access-list 101 permit ip host IP_of_the_e-mail_server host IP_of_the_ASA

capture E-MAIL access-list 101 packet-length 1512 interface (name_of_the_interface_used_to_reach_the_mail_server)

show capture E-MAIL

This will show us if the ASA is indeed sending packets to the e-mail server, and what kind of packets, and if there's a failure....

Federico.

I hope the firewall has connectivity to the e-mail server. Make sure to ping it using its IP address that you configured in the smtp-server line.

Besides that we just have to do captures like Federico says.

If you are running 7.2.4 and above you can simplify the capture command as following without any ACL.

cap capin int inside match tcp host 10.10.10.1 any eq 25

where 10.10.10.1 is the IP address of the inside interface. I am assuming the e-mail server is on the inside.

-KS

I ran the capture and I can see bi-directional communication between the firewall

and the email server. I've attached the some of the capture traffic.

Ok. You are correct I do see bi-directional traffic. That rules the firewall out.

Check the e-mail server logs, even viewer, smtp-server logs and see if shows any indication of receiving rejecting these e-mails.

Wireshark capture on the server to see what it is doing with the packets that it receives.

-KS

My exchange administrator checked the server and saw the messages being block by the spam filter. He adjusted the filter and now I'm receiving alerts from the ASA. Thanks alot guys for all the help.

Arshad

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: