Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

logging on ACLs - problem with deny ACEs

I discovered that recently our FWSM does not want to log deny-flows any more.

Whenever I want a certain ACE to be logged, I enable the logging with the alert level - and it gets Syslogged.

Configuration used:


BE01NF31/UNIVEG# sh run log

logging enable

logging timestamp

logging list ErLst level alerts

logging list ErLst message 106100

logging buffer-size 16384

logging trap ErLst

logging asdm ErLst

logging host FW_Ext BE01S514

logging permit-hostdown

logging class config trap warnings

logging class ip trap alerts


Whenever I log a 'permit' ACE, it works fine, but when I want to log a 'deny' ACE, nothing is sent to the Syslog server.

What can cause this behaviour? What can I check?

Thanks !!

Cisco Employee

Re: logging on ACLs - problem with deny ACEs

There is a possibility that you might be hitting the maximum number of ACL log deny-flows via syslog message# 106101:

However since you are only sending syslog message# 106100 to your syslog server, you are not seeing the other syslog messages that might give you an explaination on why you are not seeing the deny logs.

Hope that helps.