[c-nsp] FWSM logging problem
Andrew Yourtchenko
ayourtch at cisco.com
Wed Dec 16 13:54:33 EST 2009
On Wed, 16 Dec 2009, Tony Varriale wrote:
>
> Try to get a bugid and make sure the recommended upgrade fixes your problem.
That's indeed the proper thing to do. And please, after making sure - also
let the case owner know, that it did fix the problem - it's a step
sometimes overseen :-)
> I've had a couple logging issues that had no id and TAC just said upgrade.
>
shoot me the case#s unicast, if you still have them. The one I found in a
quick search did mention the bug ids along with the pretty detailed
explanations for each, but maybe there were some others where there was
less info, that I could not find...
> As a side note, have you had the issue of traffic blowing by an ACE? :)
http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml ?
There could be some other scenarios where by tweaking the object group one
gets the ACL exploded so much that it does not fit into the network
processors anymore - then the previously compiled version is being used -
but generally you get a pretty prominent warning about that.
thanks,
andrew
>
> tv
> ----- Original Message ----- From: "Holemans Wim" <wim.holemans at ua.ac.be>
> To: <cisco-nsp at puck.nether.net>
> Sent: Wednesday, December 16, 2009 9:44 AM
> Subject: [c-nsp] FWSM logging problem
>
>
>> It seems our FWSM doesn't log all denied ACLs. I blocked an IP address
>> on our FWSM and wanted to see whomever on campus is trying to access
>> this address (Botnet C&C).
>>
>> I added the following line in the ACL (even raised priority), you can
>> see that the rules triggers when I tried to telnet the address :
>>
>> access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4
>> log critical interval 30 (hitcnt=9) 0x6e051e8c
>>
>>
>>
>> There is however no corresponding syslog message on our syslog server or
>> in the buffered logs on the FWSM.
>>
>> These are our logging settings : already raised queue size, some
>> messages moved to another log level so they don't get send to our syslog
>> server. ACL log messages are normally of ID 106100 level debugging, I
>> can find several of them on the syslog server but not for the specifiec
>> ACE.
>>
>>
>>
>>
>>
>> logging enable
>>
>> logging timestamp
>>
>> logging emblem
>>
>> logging console debugging
>>
>> logging monitor debugging
>>
>> logging buffered debugging
>>
>> logging trap informational
>>
>> logging asdm informational
>>
>> logging queue 1024
>>
>> logging host DA-rt x.x.x.x
>>
>> logging message 305010 level debugging
>>
>> logging message 305009 level debugging
>>
>> logging message 302015 level debugging
>>
>> logging message 302014 level debugging
>>
>> logging message 302013 level debugging
>>
>> logging message 302016 level debugging
>>
>> logging message 302021 level debugging
>>
>>
>>
>> Anyone has a clue on how to get all syslog messages for the ACE's that
>> have a log part ?
>>
>>
>>
>>
>>
>> Wim Holemans
>>
>> Netwerkdienst Universiteit Antwerpen
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list