ASA error syslog messages

We started getting the below syslog messages from one of our ASA5520 which was recently upgraded to 8.4(2).Anyone familiar with bugs on 8.4(2) that cause this or its simply the RAM failure?
%ASA-3-105010: (Primary) Failover message block alloc failed
%ASA-3-321007: System is low on free memory blocks of size 1550 (0 CNT out of 18709 MAX)

It could be any one of these CSCto74092 and CSCts48937, but still it needs to be properly investigated. I would suggest you open a TAC case for further investigation.
Thanks,
Varun Rao
Security Team,
Cisco TAC

Similar Messages

ASA send syslog messages for configuration changes

On a router you can send configuration changes to the syslog server by doing,
conf t
archive
log config
logging enable
notify syslog
Then the router will send something like,
.Aug 3 13:12:00.776 PACIFIC: %PARSER-5-CFGLOG_LOGGEDCMD: User:admin logged command:no interface Loopback76
if I had typed at the command line, "no int lo76"
How do you do this on the ASA?
Goal: I want to know when anybody does any kind of config on my ASA.

The syslog number 111008 and 111010 will log the command that is entered by user.
111010 is for configuration changes.
Here is the syslog for your information:
111008:
http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html#wp4769400
111010:
http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html#wp4769410
You need to enable syslog, and severity level 5, and if you don't want to see any other logging, you can only log the above 2 syslog numbers.

Cisco ASA configuration changed messages

Hi Team,
What are the configuration changed messages except 111008 message id for Cisco ASA.Any syslog message is there which shows who and what has been changed?
Regards,
Shalendra

Hi,
Yes , these are the ones that are going to show you all the information about the user changes on the ASA device.
You can also use AAA Accounting , User Identity firewall etc on the ASA device for the same.
Thanks and Regards,
Vibhor Amrodia

Syslog messages coming from Standyby ASA ?

I have a pair of ASA's in Active/Standby configuration. I noticed this morning that the secondary ASA is generating syslog messages when I dont think it should. Here is the logging configuration -
logging enable
logging timestamp
logging buffer-size 1048576
logging console informational
logging buffered informational
logging trap informational
logging history critical
logging asdm critical
logging mail critical
logging host inside 10.1.4.12
This is the interface that syslog should be coming out of on the primary ASA -
interface GigabitEthernet0/1
description 10.1.85.0/24 Internal Interface
nameif inside
security-level 100
ip address 10.1.85.31 255.255.255.0 standby 10.1.85.32
ospf retransmit-interval 1
ospf hello-interval 1
ospf dead-interval 3
Cisco Adaptive Security Appliance Software Version 8.2(3)
Device Manager Version 6.3(4)
I ran the packet capture wizard on the secondary ASA and saw no syslog traffic coming from it.
Anybody else seen this ?
Ron

Ron
The message that you show us is part of what the ASA is doing to maintain state for all the VPN connections from the primary ASA. I see similar syslog messages from the standby unit in an ASA active/standby pair.
You say:"I wouldnt expect any messages to be coming from it since it isnt really doing anything." But the standby unit is really doing things. As a new session is established on the primary the secondary must process and retain that information. And when a session is discontinued on the primary then the standby must process that also and remove the session from the state table. If the standby were not busy doing these things then it would not be able to take over and process sessions correctly if the primary were to fail.
HTH
Rick

Syslog Messages in the ASA 8.6.1

Hi,
Can someone provide me the list of new Syslog messages added in the Cisco ASA version 8.6.1?
Thanks

Here is the list of all the syslog messages which is the same for 8.4, 8.5, 8.6 and 8.7:
http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html
Unfortunately there isn't list of just the "new" syslog that has been added to those versions.

Cisco ASA Connection Denied syslog messages

Hi,
Could you please provide the connection denied syslog messages, I'm not able to differentiate the messages from syslog guide
Regards,
Shalendra

Hi Shalendra,
For TCP connection denied syslog , 106001 is the id.
For protocol denied connection, 106002 is the id.
For connection denies due to logging permit-hostdown policy, 414006 is the id.
Refer to this link:
http://www9.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logsevp.html#13063
Regards,
Shrinkhala

CUCM Syslog Message ISSUE (kernel: Exceeded hashlimit)

Hello.
Our Customer using CUCM 9.0 (PUB :1 , Sub : 4) and 4 Voice Gateway Cisco 3945 (16 E1 PRI per each Gateway)
CUCMs have problem with syslog messages.
I saw these messages in rtmt syslog
- kernel: Exceeded hashlimit IN=bond0 OUT= MAC=34:40:b5:d5:63:e8:1c:e6:c7:52:44:40:08:00 SRC=130.1.254.27 DST=130.1.13.11 LEN=204 TOS=0x00 PREC=0x00 TTL=246 ID=19646 PROTO=UDP SPT=19200 DPT=30546 LEN=184
kernel: Exceeded hashlimit IN=bond0 OUT= MAC=6c:ae:8b:67:1a:28:bc:16:65:12:99:7f:08:00 SRC=130.1.254.27 DST=130.1.14.13 LEN=204 TOS=0x18 PREC=0xA0 TTL=253 ID=42621 PROTO=UDP SPT=26694 DPT=26842 LEN=184
What's the problem with these messages ?
And how can I solve this problem
Thanks.

I used to have the same problem, it was a sip trunk against to one CME, just reset the sip trunk in CUCM it fixed the error. it is because the end poing is sending a lot of requests to CUCM

Unterstanding syslog messages from our wlc

Hello,
we use two wlc 4402 (4.1.181.0) and several leightweight accesspoints (AIR-AP1010-E-K9 and AIR-AP1030-E-K9 ) connected to them.
On our syslog server we get a lot of messages from the two wlc, and there are 3 message types which I am a little bit afraid of.
1. ca. 10 times per hour we get the message
apf_80211.c:4792 APF-6-NO_CONFIG_CHANGES: Not saving 'apf.cfg' - no config changes."
Cisco system message guide:
Error Message %APF-6-NO_CONFIG_CHANGES: Not saving '[chars]' - no config changes.
Explanation Not saving - no config changes.
Recommended Action No action is required.
Does anybody know why we get this messages and if it's possibly to suppress them?
2. Intermittently (several times a day) we get the following message types:
a) [ERROR] spam_l2.c 723: Max retransmissions reached on AP 00:0B:85:56:63:40 (CONFIGURE_COMMAND^M , 2)"
b) [ERROR] spam_tmr.c 569: Did not receive hearbeat reply from AP 00:0b:85:56:ae:40"
The MAC address is not every time the same but one of our accesspoints.
On our network management system we get the following trap messages with nearly exactly the same timestamp:
14.01.2008 04:21:56 CET
AP ''00.0b.85.56.63.40'', interface ''0x1'' is down.
When Airespace AP's interface operation status goes down this trap will be sent.
bsnAPDot3MacAddress = 00.0b.85.56.63.40
bsnAPIfSlotId = 0x1
14.01.2008 04:21:56 CET
AP disassociated from Switch.
When an Airespace AP disassociates from a Airespace Switch, the AP disassociated notification will be sent with the dot3 MAC address of the Airespace AP. This will notify the management system to remove Airespace AP from this Airespace Switch.
bsnAPMacAddrTrapVariable =
14.01.2008 04:22:25 CET
AP associated with Switch.
When an Airespace AP Associates to a Airespace Switch, the AP associated notification will be sent with the dot3 MAC address of the Airespace AP. This will help the management system to discover the Airespace AP and add it to system.
bsnAPMacAddrTrapVariable =
bsnAPPortNumberTrapVariable = 1
Cisco system message guide:
a) Error Message %LWAPP-3-TX_ERR3: Max retransmissions for LWAPP control message reached on AP [hex]:[hex]:[hex]:[hex]:[hex]:[hex] for [chars] (number of pending messages is [dec])
Explanation Maximum number of times an LWAPP control packet is transmitted before declaring the AP dead has been reached for this AP. The AP may not be on the network, or might have rebooted.
Recommended Action Check if the AP has rebooted or if it has been removed from the network, or if there are connectivity issues between the AP and the controller.
b) Error Message %LWAPP-3-ECHO_ERR: Did not receive heartbeat reply; AP: [hex]:[hex]:[hex]:[hex]:[hex]:[hex]
Explanation Controller did not get a response for the AP heartbeat message. There may be connectivity issues between the AP and the controller.
Recommended Action Check if the AP has rebooted or if it has been removed from the network, or if there are connectivity issues between the AP and the controller.
Because we don't see any network problems I'm wondering why the connection is lost.
Does anybody have an idea, perhaps CSCsh13928 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh13928, but we don't have much traffic on the wlans) ?
Is there any possibility to remotely check if the accesspoint rebooted?
If you need further information please give me a short feedback.
Many thanks in advance,
Thorsten Steffen

Thanks for the help.
I have set up to send email and syslog messages from the RME applications. LMS server immediately started to send messages to the email server but syslog messages are not forwarded to the syslog server. Everything was done according to your instructions except that the name of the first script (syslog_forward.pl) is made consistent with what the second script (.bat) refer to (forward1.pl). What's the problem? Do RME sends the standard syslog messages via UDP port 514?
Sincerely.

Discriminate between syslog messages - targets

Hi there,
I might be trying to do the impossible here, but I am trying to get my ASA 8.2(1) to send certain syslog messages to one host and other messages to another host.
By default we are using facility 23 as our logging facility. Logging trap is set to informational and there are 2 hosts that I am logging to. Both host are receiving all the informational messages that are being sent. One of the hosts is being overwelmed by the amount of traffic. This host only needs to receive the syslog message 111008, and no others. I have been trying to figure out how to send only this one message to the host, but syslog seems to be an all or nothing proposition. Any ideas? Regardless of what I come up with, it always seems that all hosts receive whatever I configure. I can't seem to define syslog traffic on a per target basis.

You are right. You can't define 2 syslog servers to send 2 different list of syslog messages. However, you can define seperate list of syslog messages, and send 1 list to syslog server, and send another list to buffer for example.
Here is the example for your reference:
logging list 111008-list message 111008
logging list the-rest-list message 101001-111007
logging list the-rest-list message 111009-742010
logging buffered 111008-list
logging trap the-rest-list
Hope that helps.

ACE : PROBE-FAILED and Syslog messages

Hi,
When a real server is in PROBE-FAILED status, I observe a syslog message at each trial of the proble. This fills our syslog server. Is there a mean to configure the ACE in such a way that a syslog message would be generated only when a transition occurs in the probe status ?
Thank you for any hints,
Yves

Hello,
You can utilize "logging trap " command and
"logging message level " command
in order to achive what you are seeking.
The "logging trap " command limits the logging messages sent to a syslog server based on severity.
If it is set to "5 - notification", all messages that have security level of 5 or lower number are sent to the syslog server.
You can disable the display of a specific syslog
message or change the severity level of a specific system log message using
"logging message level " command.
Not sure what kind of probe you are using but If it is ICMP probe and
the reason of probe failure is arp, it generates a message for every try
as below with severity level of 3, by default.
%ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
%ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
%ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
%ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
%ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
%ACE-5-441002: Serverfarm (SF) is now back in service in policy_map (fs) -->
class_map (#class_default_slb). Number of failovers = 0, number of times back in service = 0
%ACE-4-442007: VIP in class: 'VIP' changed state from OUTOFSERVICE to INSERVICE
%ACE-5-441002: Serverfarm (SF) is now back in service in policy_map (fs) -->
class_map (#class_default_slb). Number of failovers = 0, number of times back in service = 0
%ACE-4-442004: Health probe ICMP detected rserver r1 (interface vlan31) changed state to UP
%ACE-4-442001: Health probe ICMP detected r1 (interface vlan31) in serverfarm SF changed state to UP
If your "logging trap " is set to "5 - notification" and you do not want
the message "%ACE-3-251009:xxx" to be sent to syslog server,
you can change its security level like below.
switch/Admin(config)# logging message 251009 level 6
switch/Admin(config)# do show logging message 251009
Message logging:
message 251009: current-level 6 default-level 3 (enabled)
You can check the message id that is filling the syslog server
and change its security level to higher number than "logging trap ".
Regards,
Kimihito.

ACE Syslog message for State change

Hi,
Is there a syslog message for a state-change for rservers, if so how could we enable this?
e.g. when probe fails state changes to 'probe-failed'
when all probes are successful state is 'operational'
Thank you
Bilal

Hi,
There is a syslog message something like below:
%ACE-3-251006: Health probe failed for server 10.80.10.10 on port 80 internal error: failed to setup a socket.
First enable logging on ACE.
ACE/Admin(config)# logging enable
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/config.html#wp1063750
read the section: Specifying Syslog Output Locations
logging buffered 3 should generate syslog in event of probe failure.
You can also set snmp to monitor it.
cesRealServerStateChange
CISCO-ENHANCED-
SLB-MIB
State of a real server configured in a server farm changed to a new state as a result of something other than a user intervention. This notification is sent for situations such as ARP failures, probe failures, and so on.
Hope that helps.
regards,
Ajay Kumar

Disable specific syslog message

Hi,
How do I stop the "%ENVMON-4-FAN_LOW_RPM" messages?
I have about 30 routers that have this problem, and the syslog messages flodding me...
My current config in the routers is "logging trap debugging" and I want to keep it that way.
I only need to stop the fan related messages.
Thanks,
Meir

Hi,
I think you can only set the severity level for the global logging higher than level 4 (warnings).
I have only the config for a switch at the moment, but I think it should ne the same on a router.
For the local logging buffer:
logging buffered errors ! errors = severity level 3
For the syslog server:
logging trap errors
I never heard something about to disable one special syslog message on the device.
But you can create a message filter for that syslog message in LMS under RME -> Tools -> Syslog -> Message Filters.
Sven

RV110W excessive syslog messages

I bought a RV110W wireless router a couple months ago that I've been pretty happy with.
However, I have one significant problem with it. It is configured to send syslog messages to an internal server. Twice now it has gone into a mode where it starts dumping messages like,
ip_conntrack_is_ipc_allowed: ipc_entry_is_full
continuously, at a rate of about 20 per second. It otherwise seems to function normally, but of course if unnoticed my syslog file quickly grows to hundreds or thousands of megabytes. A reboot restores normal operation. It is running firmware 1.1.0.9. A search on the internet turned up no information about this problem.
It may be some corruption is occuring in the router's OS, or perhaps this is something that can be triggered externally (in which case it would be a weak form of DoS attack? Or maybe worse if in this state it is unable to properly apply the firewall rules.)
Looking for some hints on what might be wrong and how to fix.

I have also experieced the same issue. I did not reboot the Wireless Router but the logging has seemed to stop. I'm not sure what caused it either. I did clear the log and it has not been logging the error "ip_conntrack_is_ipc_allowed: ipc_entry_is_full".
I would like a response from Cisco on this error. How do we get Cisco to respond?

After WCS v4.1.91.0 upgrade: Strange SYSLOG message

Hi
After upgrading WCS to v 4.1.91.0 and Controller 4400 to v.1.185 I get these SYSLOG message:
Emergency <DATE> 1x_ptsm.c:419 DOT1X-1-MAXEAP_RETRANS_FOR_MOBILE: MAX EAP retransmissions reached for mobile <MAC>
Critical <DATE> iapp_socket_task.c:580 IAPP-3-MSGTAG015: iappSocketTask: iappRecvPkt returned error
Can?t find any info on cisco.com or any release notes. Anybody know what it means and what I can/should do?
TIA
Peter

Actually, Maximum EAP Retransmissions message indicates that EAPOL key retransmission to client has failed. Increase the no of error count for failure. But to further trace down the issue, we need a complete syslog output to which this MAX EAP retransmission message is associated with.
Check whether AAA server is UP and running(if external RADIUS server is used). What EAP authentication type you are using?. Let me know these details.

Syslog Message

Hi all,
In my firewall ASA 5540,Every day I am getting the syslog message.
4
Jul 07 2014
08:57:39
[ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 7 per second, max configured rate is 4; Cumulative total count is 28683
Please explain about above mentioned syslog.

Hi Kabeer,
That is because of the threat detection value set on your ASA. This might be an attack.
Because of the scanning rate configured and the
threat-detection rate scanning-rate 3600
average-rate 15
command:
%ASA-4-733100: [144.60.88.2] drop rate-2 exceeded. Current burst rate is 0 per
second, max configured rate is 8; Current average rate is 5 per second, max
configured rate is 4; Cumulative total count is 38086
Recommended Action
Perform the following steps
according to the specified
object type that appears
in the message:
1.
If the object in the message is one of the following:
Firewall
Bad pkts
Rate limit
DoS attck
ACL drop
Conn limit
ICMP attck
Scanning
SYN attck
Inspect
Interface
Check whether the drop rate is ac
ceptable for the running environment.
2.
Adjust the threshold rate of the particular drop to an appropriate value by using the
threat-detection rate
xxx command, where
xxx
is one of the following:
acl-drop
bad-packet-drop
conn-limit-drop
dos-drop
fw-drop
icmp-drop
inspect-drop
interface-drop
scanning-threat
syn-attack
3.
If the object in the message is a TCP or UDP port
, an IP address, or a
host drop, check whether
or not the drop rate is accepta
ble for the running environment.
4.
Adjust the threshold rate of the particular drop to an appropriate value by using the
threat-detection rate bad-packet-drop
command.
Note
If you do not want the drop rate exceed warning to appear, you can disable it by using
the
no threat-detection basic-threat command.
You can refer the below mentioned cisco document for more information.
http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs.pdf
Regards
Karthik

ASA error syslog messages

Similar Messages

Maybe you are looking for