[c-nsp] FWSM logging problem

Holemans Wim wim.holemans at ua.ac.be
Thu Dec 17 03:37:00 EST 2009


To answer all questions about versions e.d.
We are running 3.1(4), not the latest I know, but people here are
'allergic' to network downtime and with semester exams coming up, I
won't be able to upgrade before February. 
I removed the log option from the rule which should have given me 106023
messages in my logs but they don't show up ; the ACE is being hit
however :

access-list Internet-out line 24 extended deny ip any host x.x.x.x
(hitcnt=13) 0x6e051e8c

As far as I can tell, there is no queue problem :
        Logging Queue length limit : 1024 msg(s), 30947037 msg(s)
discarded.
        Current 502 msg on queue, 512 msgs most on queue
I raised the limit to 1024 yesterday and the number of discards stayed
the same since then.

There doesn't seem to be a caching problem either :
fwcdep/fwcdep1# sh access-list | incl cache
access-list cached ACL log flows: total 5, denied 3 (deny-flow-max 4096)

I'll have to live with this until I can upgrade.

Wim


-----Original Message-----
From: Andrew Yourtchenko [mailto:ayourtch at cisco.com] 
Sent: woensdag 16 december 2009 19:35
To: Holemans Wim
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] FWSM logging problem

On Wed, 16 Dec 2009, Holemans Wim wrote:

> It seems our FWSM doesn't log all denied ACLs. I blocked an IP address
> on our FWSM and wanted to see whomever on campus is trying to access
> this address (Botnet C&C).
>
> I added the following line in the ACL (even raised priority), you can
> see that the rules triggers when I tried to telnet the address :
>
> access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4
> log critical interval 30 (hitcnt=9) 0x6e051e8c
>
>
>
> There is however no corresponding syslog message on our syslog server
or
> in the buffered logs on the FWSM.

Any chances you'd have "%FWSM-1-106101: Number of cached deny-flows for 
ACL log has reached limit " somewhere ?

Check on "show access-list" output:

FWSM(config)# sh access-list | inc flows
access-list cached ACL log flows: total 1, denied 1 (deny-flow-max 1)

Here I've configured 1 flow. Once you reach the flow limit, the further 
logs are suppressed (AFAIK, with the logic being, that since the whole 
idea behind the "log" is to decrease the amount of logging messages, if 
we get a lot of hits, we are probably already under stress, so would not

want to stress further by downgrading the logs to sending them
per-packet).

If you have a lot of ACEs that are marked with "log" keyword, this might

be what you see. Decreasing the interval should help to keep the # of
logs 
under max.

>
> These are our logging settings  : already raised queue size, some
> messages moved to another log level so they don't get send to our
syslog
> server. ACL log messages are normally of ID 106100 level debugging, I
> can find several of them on the syslog server but not for the
specifiec
> ACE.

For the specific ACE, you can remove the "log" keyword. Bit
counter-intuitive as this might seem, it would not stop the logging for 
the denied sessions - just the messages will be different
("firewall-style"):

%FWSM-4-106023: Deny icmp src outside:X.1.1.1 dst inside:Y.1.1.1 (type 
8, code 0) by access-group "foo" [0x17a38302, 0x0]

instead of:

%FWSM-6-106100: access-list foo denied icmp outside/X.1.1.1(0) -> 
inside/Y.1.1.3(8) hit-cnt 1 (first hit) [0xe6aea397, 0x0]

That 106023 will be sent one-message-per-hit.

So I think it should precisely fit what you are looking for.

cheers,
andrew


More information about the cisco-nsp mailing list