ASA Logging

Similar Messages

• ASA Logging Advice/Assistance

  Hello,
  We currently run ASA 5520's at our CO and our Production Controls Manager is looking for an easy way to view the ASA logs for certain users activity and also for external IP's hitting our outside interface. I am not very knowlegeable when it comes to different industry standard/accepted solutions for logging so thats why I am here.
  I know ASDM has a monitoring tab but I would prefer not to give him access into the ASA directly unless someone in the community knows how to give this access with a set of commands that will lock him out of everything else or if there is a standalone app from ASDM that just shows monitoring/logging info. The other issue with ASDM is the monitoring will most likely be real time or only a few days back and not historical.
  Another option is exporting them to an FTP server which I am fine with doing but I feel he will have an issue going through them all to find the information he needs.
  We do have a solarwinds server but I dont know how to get the Cisco logs to show up in the GUI so he can read them from a webpage.
  I am sure there are other ways to achieve this but these are the only few that came to mind right off the bat given our environment. Does anyone have a place I can look or suggestion on an easy way to do this? I am sure it can all depend on the environment but our Production Controls team isnt looking for too much just a small bit of information.
  Thanks,

  If you have Solarwinds Network Performance Monitor (NPM), you can easily set the ASA to log to it:
  CLI method
  ASDM method
  Log level 4 is most useful for errors and warnings. If they want to see every connection being established, you will need to move  up to the much more verbose level 6.
  The manager can then just refer to SolarWinds' syslog viewer for a source of all the syslog data. It's easy to sort by time period, interesting message string etc. You can optionally set actions from the SolarWinds console (via RDP) for selected sylog messages.
  You can set SolarWinds to keep data for a fixed period or by how big the database grows.

• Converting PIX/ASA logs into CSV

  I work as a network forensics analyst for a gov't agency. We are getting large amounts of PIX and ASA logs being pushed to our Syslog server. I'm trying to create a script to parse/convert the standard PIX/ASA logs into CSV files in order to assist with integration to other products. Has anyone had success with this, or have a perl / shell script(awk grep, etc) written for this task?  I would like to capture as much data as possible.

  What syslog server are you using? The free kiwi syslog has an option to spin a new file based on the time or day to a text file automatically which can be archived later. Seems like kiwi can export in .csv format. http://www.kiwisyslog.com/help/syslogwebaccess/index.html?export_to_csv.htm
  -KS

• Getting error in ASA logs from CSM - after adding device to inventory

  I've supplied the correct credentials for the ASA in the inventory section of the CSM. I get a success but, I also get a failure. The failure in the logs does not show a username is only shows "" and the protocol as https
  Any ideas on why this happening, or suggestions?

  I've supplied the correct credentials for the ASA in the inventory section of the CSM. I get a success but, I also get a failure. The failure in the logs does not show a username is only shows "" and the protocol as https
  Any ideas on why this happening, or suggestions?

• ASA log exception

  Hi,
  How can i except log generation some ip address on ASA.
  I want to filter for generation syslog message for spesific IP address on ASA.
  Thanks.

  yes you can capture for a perticular host and ip
  you have to define access-list for that
  as instance if you want capture icmp logfor the host 192.168.2.115
  then
  first make a access-list
  access-list 101 permit  icmp host 192.168.2.115 any
  then
  you have too attach this access-list with capture commend
  capture (capture name like newcap) newcap access-list 101 interface (interface name like inside,outside,or dmz1) inside
  then the commend is
  capture newcap access-list 101 interface inside
  then if you ping your inside interface then asa will capture this log
  then you can see the log by sh capture (capture name)
  sh capture newcap
  tell us if it is help you

• Cisco ASA Logging

  I have been experiencing some problems at a customer site with a Cisco ASA 5510 where a reboot clears the problem. I am setting up a syslog server to capture the events in  the hope that TAC can assist after the reboot using the captured logs.
  My issue right now is that setting the logging to debugging or informational generates a large file in a short time. Given the situation what is the best option when selecting a logging trap so that when TAC reviews the file it is useful to them.
  Thanks.

  When logging is set to informational or debug the ASA certainly does generate a lot of log messages. Perhaps an option to consider would be to set console logging to informational or debug and then to connect a PC to the console running some terminal emulator that allows you to specify a fairly large buffer for its screen display. (I like SecureCRT because it allows me to do this and probably there are other emulators that allow this also).
  Let the logging to the console run until the problem happens. When the problem happens, go to the PC and do a copy paste of the content of the screen buffer to a file and send the file to TAC. I have done this before and it worked pretty well for me.
  HTH
  Rick

• ASA - logging via radius with group name passed.

  Hi,
  I'm trying to setup ASA5520 with Radius to authenticate users with group
  privileges.
  Useing Radius with ASA to authenticate users is quite simple. When I try
  to pass from asa tunnel-group name (with group-policy and attributes
  attached) there is a problem that ASA dosn't pass any group name to
  radius.
  Is there any way to overcome it?
  What I want to do is to apply different policies to username depending
  with what tunnel-group name he logs in to webvpn. I assume one user may
  be member of different groups.
  br
  Marcin

  It's possible.
  Differentiate your privileges and restrictions based off of group-policy, not the tunnel-group. Keep your default WebVPN tunnel-group, and do not specify a default group policy for this tunnel-group.
  Create separate group-policies that differentiate what links different groups of users should be presented with. If you're using ACS, link your Cisco Secure Groups to groups in Active Directory (or other method of directory services). The Cisco Secure Groups should then be configured to pass specific RADIUS attributes, such as the "Class" attribute #25. ACS will then tell the ASA to place the user (from Active Directory) into a specific group-policy, which you can then limit URL's shown with the url-list command.
  Long winded, I know...any questions, please ask.

• Doubt with ASA log

  Hello all,
  I'm receiving this flood line like below in my log, look:
  Dec  3 16:05:00 10.11.2.2 %ASA-6-106015: Deny TCP (no connection) from 172.19.2.50/54429 to 10.11.5.20/5666 flags PSH ACK  on interface inside                  
  When I'm in 172.19.2.50 server, I can connect into 10.11.5.20 on tcp/5666 port.
  So, Why am I receiving those messages in my log?
  Thanks.
  Diego

  Hi,
  Follow the log:
  Dec  4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.19/0 gaddr 172.19.4.113/53027 laddr 172.19.4.113/53027
  Dec  4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/54051 laddr 172.19.4.113/54051
  Dec  4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/54051 laddr 172.19.4.113/54051
  Dec  4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.20/0 gaddr 172.19.4.113/54563 laddr 172.19.4.113/54563
  Dec  4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.17/0 gaddr 172.19.4.113/55331 laddr 172.19.4.113/55331
  Dec  4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.20/0 gaddr 172.19.4.113/54563 laddr 172.19.4.113/54563
  Dec  4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.17/0 gaddr 172.19.4.113/55331 laddr 172.19.4.113/55331
  Dec  4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.13/0 gaddr 172.19.4.113/58915 laddr 172.19.4.113/58915
  Dec  4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.13/0 gaddr 172.19.4.113/58915 laddr 172.19.4.113/58915
  Dec  4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.15/0 gaddr 172.19.4.113/48675 laddr 172.19.4.113/48675
  Dec  4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.15/0 gaddr 172.19.4.113/48675 laddr 172.19.4.113/48675
  Dec  4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.10/0 gaddr 172.19.4.113/46883 laddr 172.19.4.113/46883
  Dec  4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.10/0 gaddr 172.19.4.113/46883 laddr 172.19.4.113/46883
  Dec  4 08:55:33 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670306 for dmz:10.11.7.20/5666 (10.11.7.20/5666) to inside:172.19.4.113/51467 (172.19.4.113/51467)
  Dec  4 08:55:33 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670306 for dmz:10.11.7.20/5666 to inside:172.19.4.113/51467 duration 0:00:00 bytes 2792 TCP FINs
  Dec  4 08:55:34 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670308 for dmz:10.11.7.21/5666 (10.11.7.21/5666) to inside:172.19.4.113/43008 (172.19.4.113/43008)
  Dec  4 08:55:34 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670308 for dmz:10.11.7.21/5666 to inside:172.19.4.113/43008 duration 0:00:00 bytes 2792 TCP FINs
  Dec  4 08:55:37 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670312 for dmz:10.11.7.17/5666 (10.11.7.17/5666) to inside:172.19.4.113/60040 (172.19.4.113/60040)
  Dec  4 08:55:37 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670313 for dmz:10.11.7.17/5666 (10.11.7.17/5666) to inside:172.19.4.113/60041 (172.19.4.113/60041)
  Dec  4 08:55:37 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670313 for dmz:10.11.7.17/5666 to inside:172.19.4.113/60041 duration 0:00:00 bytes 840 TCP FINs
  Dec  4 08:55:37 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670312 for dmz:10.11.7.17/5666 to inside:172.19.4.113/60040 duration 0:00:00 bytes 840 TCP Reset-O
  Dec  4 08:55:37 10.11.2.2 %ASA-6-106015: Deny TCP (no connection) from 172.19.4.113/60040 to 10.11.7.17/5666 flags PSH ACK  on interface inside
  Dec  4 08:55:39 10.11.2.2 %ASA-6-302016: Teardown UDP connection 1670103 for inside:172.19.4.113/55775 to identity:10.11.2.2/161 duration 0:02:01 bytes 144
  Dec  4 08:55:44 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333
  Dec  4 08:55:44 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333
  Dec  4 08:55:45 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333
  Dec  4 08:55:45 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333
  Dec  4 08:55:46 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333
  Dec  4 08:55:46 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333
  Dec  4 08:55:46 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670322 for dmz:10.11.7.17/5666 (10.11.7.17/5666) to inside:172.19.4.113/60055 (172.19.4.113/60055)
  Dec  4 08:55:46 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670322 for dmz:10.11.7.17/5666 to inside:172.19.4.113/60055 duration 0:00:00 bytes 824 TCP Reset-O
  Dec  4 08:55:46 10.11.2.2 %ASA-6-106015: Deny TCP (no connection) from 172.19.4.113/60055 to 10.11.7.17/5666 flags PSH ACK  on interface inside
  Dec  4 08:55:47 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333
  Dec  4 08:55:47 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333
  Dec  4 08:55:48 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333
  Dec  4 08:55:48 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333
  Dec  4 08:55:51 10.11.2.2 %ASA-6-302016: Teardown UDP connection 1670115 for inside:172.19.4.113/53500 to identity:10.11.2.2/161 duration 0:02:01 bytes 152
  Dec  4 08:55:56 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670335 for dmz:10.11.7.20/5666 (10.11.7.20/5666) to inside:172.19.4.113/51507 (172.19.4.113/51507)
  Dec  4 08:55:56 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670335 for dmz:10.11.7.20/5666 to inside:172.19.4.113/51507 duration 0:00:00 bytes 2792 TCP FINs
  Dec  4 08:55:57 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670336 for dmz:10.11.7.17/5666 (10.11.7.17/5666) to inside:172.19.4.113/60070 (172.19.4.113/60070)
  Dec  4 08:55:57 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670336 for dmz:10.11.7.17/5666 to inside:172.19.4.113/60070 duration 0:00:00 bytes 840 TCP FINs

• ASA Logs

  I'm trying view the traffic logs. Can someone assist me with the command?

  Here are the steps for setting up the syslog server.
  First you would need to install a syslog server software on one of the computers. You may
  download one of the popular kiwisyslog server from
  http://www.kiwisyslog.com/software_downloads.htm . It is listed as Kiwi
  Syslog Daemon and latest version is 8.2.8. You may download standard edition that runs as
  a program.
  Once the syslog server is installed you will then need to login into the ASA in
  configuration terminal mode and enter the following commands.
  logging host [in_if_name] ip_address
  (example: logging host inside 1.2.3.4
  We are assuming syslog server is installed on computer with IP address 1.2.3.4 in the
  inside network.)
  logging timestamp
  logging trap 4
  logging on
  These commands will enable the ASA to start sending syslog messages to the syslog server.
  For more information on logging commands you may refer to this URL:
  http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_refer
  ence_chapter09186a008010578b.html#1028090
  Trap levels
  .0-emergencies-System unusable messages
  .1-alerts-Take immediate action
  .2-critical-Critical condition
  .3-errors-Error message
  .4-warnings-Warning message
  .5-notifications-Normal but significant condition
  .6-informational-Information message
  .7-debugging-Debug messages and log FTP commands and WWW URLs
  Do rate helpful posts.
  Regards,
  Sushil

• ASA - log users out of ASDM after 10 mins of idle time?

  Hello,
  How can I get idle users logged out of the ASDM after 10 mins?
  I have SSH and the console set fine, but not the ASDM.
  Many thanks

  Hi Andy,
  You can increase the ASDM timeout value by the command:
  http server idle-timeout
  Here's the ref:
  http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/gh.html#wp1782511
  The default value is 20 mins
  Hope that helps,
  Rate if helpful..
  Thanks,
  Varun Rao
  Security Team,
  Cisco TAC

• ASA - log successful and failed logons to syslog server?

  Hello,
  How can I log successful and failed SSH and ADSM logons to our syslog server?
  Thanks

  Hi,
  I haven't really touched the default logging configurations much but some firewalls that I manage have "logging trap informational" which sends messages of users connecting to the firewall.
  The messages shows which username was used and if it was rejected or accepted. These messages all seem to be of the "informational" / "level 6" syslog messages.
  The syslog IDs for them are:
  ASA-6-113008
  ASA-6-113012
  ASA-6-113015
  Though these messages only show information about the AAA not which type of connection was used (I tried both SSH and ASDM to see)
  I'm sure there are more messages that will show additional information about the connection and also what the logged user did on the firewall during the management connection.
  - Jouni

• Cisco ASA Logs - Viewing History Log

  Hi,
  I have a question regarding on viewing Cisco log. When I tried to build the filter to view logs for a particular IP from particular period of time, I am not able to see the logs. I have attached the screen shot of the logging configuration. Please assist to advice if I have miss out any setting.
  Thks and Rgds

  Hi,
  When I do a show logging on the CLI, I am able to see the logs.But when I tried to build the filter to view logs for a particular IP from particular period of time on the asdm, I am not able to see the logs.
  Is it that the sizing for the maximum space that logging can use on the flash is too small as currently I have left it to default of 1024KB.
  Should I increase the sizing?
  Thks and Rgds

• ASA 5520 - ASDM logging: disable rules logging

  Hello all,
  I'm encountering what I think is an issue on logging system on FW ASA 5520 - Asa Version 8.4(2), ASDM version 6.4(5). When I disabled the logging inside a rule from ASDM, or from console with the "log disable" option inside ACL, If I check in ASDM logging real time window I continue to see all the entry related to disabled rules. This is a correct behaviour about ASA logging ? How I can "hide" the entry related to disabled rules (this is what I need for troubleshooting purposes) ?
  Thanks in advance for every reply.
  Regards.

  Hi Paolo,
  Well, if it is just for an specific rule, the log keyword at the end of the ACL should not be there, but if you dont want to see the log at all you can use the command no logging message command.
  Mike

• ASA url logging

  Hi,
  I'm attempting to make our ASA log urls and I am getting some success. However, the output presents the IP instead of the actual domain, e.g, when browsing to imdb it is logged as:
  Nov 16 2009 14:12:35: %ASA-5-304001: 30.30.30.30 Accessed URL 209.85.229.148:/ad
  j/imdb2.consumer.homepage/;tile=2;sz=468x60,728x90,1008x150,9x1;p=t;s=32;;ord=99
  73051011677648
  rather than imdb.com/....(or whatever it happens to be).
  How do I get the ASA to log the domain rather than the corresponding IP address?
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#related
  states the ASA has to run vers 8.0.4.24 or later, ours has 8.2(1).
  Thanks,
  Scott

  After Cisco getting back to me about the logging problem and loading the new code it works.
  I was running 8.2(1) had to upgrade to 8.2(3) and now the loging is working.
  The 10.10 is an inside test network that I am coming from to http://www.cisco.com
  I hope that this helps everyone. Now off to write some code to put this in a database to see where people are going.
  Nov 11 2010 19:18:31: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/
  Nov 11 2010 19:18:32: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/offers/js/mbox.js
  Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/hub.swf
  Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/j/home.metrics_ut.js?v=ut2.1.201009
  Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/j/home.s_code_ut.js?v=ut2.1.2010091
  Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/hp-fatfooter-menu.png
  Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 198.133.219.119:http://newsroom.cisco.com/dlls/cdc_news_json_v1.js?cacheRese
  Nov 11 2010 19:18:35: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/tsweb/searchplugins/cdc_search.xml
  Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/co/menu-content.html
  Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/mm-box-shadow.png
  Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/mm-corners.png
  Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/mm-spinner.gif
  Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/mm-sprite.png
  Nov 11 2010 19:18:39: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/css/en.c
  Nov 11 2010 19:18:40: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/css/fr.c
  Nov 11 2010 19:18:40: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/css/ch.c
  Nov 11 2010 19:18:40: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/css/de.c
  Nov 11 2010 19:18:41: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/swf/chic

• Cisco Jabber Client for Windows 9.7 Can't Connect to Other IPSec VPN Clients Over Clustered ASAs

  Environment:
  2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
  Both ASAs are at version 8.4(5)6
  IPSec VPN Client version: 5.0.07.440 (64-bit)
  Jabber for Windows v9.7.0 build 18474
  Issue:
    If I am an IPSec VPN user…
     I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
     I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
  In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)

  Portu,
  Thanks for your quick reply.
  Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above.  I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
  I can, though, do whatever you want on the Linux router.  Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
  As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this.  (But I might need a bit of handholding if I need to set up a  wireshark andor tcpdump.)
  Thanks again.