Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
342
Views
0
Helpful
5
Replies

fwsm logging differences from PIX

andrlej
Level 1
Level 1

‎02-06-2004 08:38 AM - edited ‎02-20-2020 11:13 PM

Hello All,

i would like to asks someone what to do with logging on fwsm.

1) logging messages has no information about interface. at PIX logs you can find interface name:ip address where the connection starts and ends. but at fwsm logs there is only information that connection starts from ip address to ip address.

When you are debugging problematic communication information about interfaces helps you very much.

2) IDs of fwsm logging messages are diffrerent from PIX IDs. and also there is no url with syslog messages on fwsm (for expample detailed information about messages ID %FWSM-6-302001 or %FWSM-6-302002 :-(

3) When any TCP connection ends (somehow), on PIX log is the infromation about the reason of termination. on fwsm there is only information that the reason is "Unknown". With this information it is impossile to say what was the reason for TCP connection termination.

Does anyone know what i can do with that?

I will be helpfull for every ifnormation. Thanks a lot.

Jakub A.

0 Helpful
5 Replies 5

scoclayton
Level 7
Level 7

‎02-06-2004 11:15 AM

Jakub,

I will take a stab at these:

1) Can you give me an example of a syslog message that you think should have the interface parameter in it? I am afriad I don't really know what you are talking about here.

2) Some FWSM log ID's are different. But for the most part, they *should* be the same. For the FWSM specific messages, you can refer to this link:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/cfgnotes/fwsm/fwmsgs.htm

For all others, just refer to the PIX 6.0 Syslog message reference:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/syslog/pixemsgs.htm

3. This is a bug (probably more of an ehancement as there actually is no code to return this data in the FWSM) - CSCec83556 We are hoping to address this short-coming as it does make troubleshooting a little more difficult.

Scott

0 Helpful

tat-12310
Level 1
Level 1
In response to scoclayton

‎02-06-2004 01:04 PM

I have been trying to decode same message. Something like

Feb 6 15:41:19 fwsm1 Feb 06 2004 15:41:26: %FWSM-6-302001: Built inbound TCP connection 127 for faddr / gaddr / laddr /

0 Helpful

andrlej
Level 1
Level 1
In response to scoclayton

‎02-09-2004 12:59 AM

Hello Scott,

ad 1) we are using pix 6.3(3) and the logs looks like this:

PIX-6-302013: Built {inbound|outbound} TCP connection number for interface_name:real_address/real_port (mapped_address/mapped_port) to interface_name:real_address/real_port (mapped_address/mapped_port) [(user)]

%PIX-6-302014: Teardown TCP connection number for interface_name:real_address/real_port to interface_name:real_address/real_port duration time bytes number [reason] [(user)]

another connections has also interface information.

ad2) this was my fault. We are using pix 6.3(3) and i assumed, that the log IDSs are same with versin 6.0. There are not :-((.

Thank you for links.

ad3) Whan do you plat to address this short-comming?

And finaly i found another proble with lost information about interfaces.

4) Command "sh xlate debug" does not display interface and translation type :-(.

All this "problems" are very confusing. Do you have any dates when this could be somehow corrected?

Thanks a lot, Jakub

0 Helpful

scoclayton
Level 7
Level 7
In response to andrlej

‎02-09-2004 06:22 AM

Jakub,

Try #2

1) Remember, the FWSM is based on the PIX 6.0 code (with a few additions). I don't know of any syslog messages in PIX 6.0 code that contains interface information. For instance, 302013 and 302014 are not FWSM log messages at this time. FWSM 2.1 (due in April) should add more syslogs to bring it in-line with >6.3 PIX code.

2) No Problem

3) Not sure. At this time, I do not see where this has been addressed. If this is something that is important to you, please contact your local Cisco account team.

4) Yep, new option on the 'sh xlate' command as of PIX 6.2 (I believe). I agree with you as this command is extremely helpful. I am guessing this is going to available in FWSM 2.1 code but I am not 100% sure on this.

The FWSM 2.1 and PIX 7.0 code are supposed to be in-line with one another so hopefully everything that is supported in the PIX code will also be supported in the FWSM at that time. Sorry for the confusion but we are trying to make this easier moving forward.

Scott

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card