Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FWSM - ACL Deny with log command not shown in show logging


We having FWSM running ver 4.1.11. We have configured deny ACEs with log command at the end of ACL but when give show logging, there is no any deny ACL logs and it shows simply only the system logs. We verified with changing logging buffered level with informational/notification/debugging still could not see any denies against ACL. when given show access-list <acl-name> we could see the hits counts also getting increase..? However when we checked with ASDM realtime monitoring (debugging) we could see those denies against configured ACL.

Can some experts please advise me on this, why we not see any deny logs against ACL, why it not even shown with deny log command?, not sure weather we hitting a bug on this because on another fwsm running 4.0.12 I can see some deny logs against ACL even without deny log command at end of ACL?.

Thanks in advance.

Super Bronze

Re: FWSM - ACL Deny with log command not shown in show logging


We have a FWSM running 4.1 but not the exact version you have.

I have never run into this problem.

I also didnt find any existing bug from Cisco site that could explain this

Generally the very basic configuration needed to show all connections attempts that are getting blocked by an interface ACL would be to set the logging level to

trap = to Syslog server

asdm = to ASDM

buffered = to log buffer

logging trap notifications

logging asdm notifications

logging buffered notifications

To show connection building and teardown messages you would need (and ofcourse the Deny messages like with notifications level)

logging informational

logging asdm informational

logging buffered informational

What kind of logging configurations do you have? Can you share your "show run logging" output

Provided the configurations are correct I would imagine that its something that would need to be looked by Cisco TAC

I generally avoid looking log through the buffer on CLI. Usually this is because there might be so many logs generated at one moment that many logs simply dont show in the buffer because there they are already overwritten by other log. Ofcourse I could increase the buffer size but I'd rather not. I usually gather it from our Syslog server or use ASDM for real time monitoring while troubleshooting some customer problem.

- Jouni