[c-nsp] FWSM logging problem

Wed Dec 16 13:28:32 EST 2009

What does the output of 'show logging queue' look like?  Are msgs being
actively discarded?  How large of a queue depth is too large -- 2048, 4096,
8192?

-- Eric Cables

On Wed, Dec 16, 2009 at 10:03 AM, <NMaio at guesswho.com> wrote:

> Tony,
> > As a side note, have you had the issue of traffic blowing by an ACE? :)
> What you referring to here?  I run both the FWSM and ACE module.  We have
> had a plethora of problems with the ACE.  The best is it just stops
> responding and passing traffic and it doesn't failover when that happens.
> Nick
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
> Sent: Wednesday, December 16, 2009 12:31 PM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] FWSM logging problem
>
> What code are you on?
>
> These types of items have been going on for a while in various iterations
> of
> code.  There's been so many it's hard for me to keep them straight LOL!
>
> But, if you post your code I'll try and look up my notes.  In the end,
> you'll have to call TAC and they will tell you to upgrade to xyz.
>
> Try to get a bugid and make sure the recommended upgrade fixes your
> problem.
> I've had a couple logging issues that had no id and TAC just said upgrade.
>
> As a side note, have you had the issue of traffic blowing by an ACE? :)
>
> tv
> ----- Original Message -----
> From: "Holemans Wim" <wim.holemans at ua.ac.be>
> To: <cisco-nsp at puck.nether.net>
> Sent: Wednesday, December 16, 2009 9:44 AM
> Subject: [c-nsp] FWSM logging problem
>
>
> > It seems our FWSM doesn't log all denied ACLs. I blocked an IP address
> > on our FWSM and wanted to see whomever on campus is trying to access
> > this address (Botnet C&C).
> >
> > I added the following line in the ACL (even raised priority), you can
> > see that the rules triggers when I tried to telnet the address :
> >
> > access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4
> > log critical interval 30 (hitcnt=9) 0x6e051e8c
> >
> >
> >
> > There is however no corresponding syslog message on our syslog server or
> > in the buffered logs on the FWSM.
> >
> > These are our logging settings  : already raised queue size, some
> > messages moved to another log level so they don't get send to our syslog
> > server. ACL log messages are normally of ID 106100 level debugging, I
> > can find several of them on the syslog server but not for the specifiec
> > ACE.
> >
> >
> >
> >
> >
> > logging enable
> >
> > logging timestamp
> >
> > logging emblem
> >
> > logging console debugging
> >
> > logging monitor debugging
> >
> > logging buffered debugging
> >
> > logging trap informational
> >
> > logging asdm informational
> >
> > logging queue 1024
> >
> > logging host DA-rt x.x.x.x
> >
> > logging message 305010 level debugging
> >
> > logging message 305009 level debugging
> >
> > logging message 302015 level debugging
> >
> > logging message 302014 level debugging
> >
> > logging message 302013 level debugging
> >
> > logging message 302016 level debugging
> >
> > logging message 302021 level debugging
> >
> >
> >
> > Anyone has a clue on how to get all syslog messages for the ACE's that
> > have a log part ?
> >
> >
> >
> >
> >
> > Wim Holemans
> >
> > Netwerkdienst Universiteit Antwerpen
> >
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>