Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Quick syslog question ASA 5500/8.04

Is there a way to get, from the syslog messages, which ACE of an ACL triggered a deny?

frex, I have an object, Blocked_addresses, which contains 30 addresses. This is used in a deny in an ACL. This element of the ACL shows a bunch of hits, but no details as to which element was matched.

I don't want to search the log repository for the whole list of IPs to see which one hit, I'd like to search the syslog for the specific ACE, so I can quickly isolate those messages.

I know each ACE has it's own identifier, but do they show up in the syslog in a usable format?

Thanks,

Rich

4 REPLIES
Cisco Employee

Re: Quick syslog question ASA 5500/8.04

The deny usually has a hash value.

To see which ACE that is you need to issue sh access-l blah | i hash

Presently it is not possible to get the appropriate ACE in the syslog deny message only the hash.

Community Member

Re: Quick syslog question ASA 5500/8.04

Thank you for this - it didn't work quite correctly - I get a unknown command. If I expand it to incl hash, I get a blank. However, just doing a 'sh access-list ' did give me the identifiers, just not how I expected. The nicer thing is that it gave me the hitcounts per ip address, instead of just per ACE.

Highlighted
Cisco Employee

Re: Quick syslog question ASA 5500/8.04

you have to include for the hash value that you see in the syslogs when you issue sh access-list output.

example:

TK00FWSM# show access-list vl998

access-list vl998; 102 elements

access-list vl998 line 1 extended permit tcp any object-group

sisj-cgp-mailfe-svc eq smtp 0xb7e52495

access-list vl998 line 1 extended permit tcp any host

sisj-cgp-mailfe00-svc eq smtp (hitcnt=0) 0x4115ae92

access-list vl998 line 1 extended permit tcp any host

sisj-cgp-mailfe01-svc eq smtp (hitcnt=0) 0x9b15500

sh access-l v1998 | i 0x9b15500

Put the hash that you see in the syslogs in the above command.

Community Member

Re: Quick syslog question ASA 5500/8.04

I see. I read the literal 'hash' not the variable hash.

Thank you!

R

136
Views
14
Helpful
4
Replies
CreatePlease to create content