Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Log doubt

Hi...

I have an ASA 5540, and im testing the logginng.

When I telnet (port 23) my internal interface, the log shows me that the connection was denied. All rigth.

But, when I telnet with another port, for example 5858, the log doesn't show me anything.

Why?

Is this a normal behavior?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Log doubt

Yes you are absolutely correct. The 710005 messages will only be seen if you are logging at the "debugging" (7) level. Your ASDM logging is set to the "informational" (6) level. You'll need to issue the following command:

ASA(config)# logging asdm debugging

Give that a try and let me know if it works.

-Mike

10 REPLIES

Re: Log doubt

Hi,

I am assuming the syslog message that you're referring to is %ASA-3-710003. According to the ASA syslog documentation:

"This message is displayed when the security appliance denies an attempt to connect to the interface service."

So, I think that we will only see %ASA-3-710003 messages for attempted connections on ports that the firewall is running a particular service on (i.e. 21, 23, 80, 443). For other ports, such as 5858, you'll see %ASA-7-710005 messages instead.

Hope that helps.

-Mike

New Member

Re: Log doubt

Hi, Robertson and Farrukh

when I telnet (port 23) I see 710003 denied access..ok.

But when I telnet with another port, I didn't see the 710005, like you said.

I'm loggining at Debugging level at ASDM

Re: Log doubt

At what level are you logging (check this with the show logging output). It could be the other syslogs are at a higher level. The ASA generates a syslog for each permit/deny (at least on the first packet of each flow) even tough this could be indicated through different syslog messages/levels

Regards

Farrukh

New Member

Re: Log doubt

Hi, Robertson and Farrukh

when I telnet (port 23) I see 710003 denied access..ok.

But when I telnet with another port, I didn't see the 710005, like you said.

I'm loggining at Debugging level at ASDM

Re: Log doubt

Ok you won't see 710005, but you will see another syslog.

Regards

Farrukh

New Member

Re: Log doubt

Hi Farrukh,

is it possible to see 710005?

Thanks

Re: Log doubt

Hi,

You should see 710005 if you are logging at the debugging level.

Could you post the output of 'show run | inc logging' from your ASA?

-Mike

New Member

Re: Log doubt

Hi Mike...

see output:

logging enable

logging monitor informational

logging trap informational

logging asdm informational

logging host LAN 172.x.x.x

I think I figured the error. Should the configuration be seted to "debugging"???

Re: Log doubt

Yes you are absolutely correct. The 710005 messages will only be seen if you are logging at the "debugging" (7) level. Your ASDM logging is set to the "informational" (6) level. You'll need to issue the following command:

ASA(config)# logging asdm debugging

Give that a try and let me know if it works.

-Mike

New Member

Re: Log doubt

Hi Mike...

Now its working fine...I can see ASA denying my telnet connection at port 5858.

Thanks you...

214
Views
5
Helpful
10
Replies