ASA monitoring
I can monitor site-to-site connections and user VPNs with no problem. I can't seem to monitor my firewall/rules real time. I want to filter on certain addresses. I have a 5520. Any help is appreciated.
Thanks,
Charlie
Hi Bro
That's true what has been said by Karsten Iwen. You'll need to enable logging in your Cisco ASA Firewall, and you'll be able to view your Firewall rules real time (provided there's the keyword "log" at the end of the rule sentence).
The example shown below is about viewing your Firewall rules real time via the console (Firewall buffer);
FW1# show run logging
logging enable
logging timestamp
logging list TEST1 message 106100
logging buffered TEST1
logging device-id hostname
Jul 16 2012 12:46:13 FW1 : %ASA-6-106100: access-list inside permitted tcp inside/172.29.26.17(2678) -> outside/172.29.209.144(139) hit-cnt 1 first hit [0xd9e2aa06, 0x0]
Jul 16 2012 12:46:13 FW1 : %ASA-6-106100: access-list inside permitted tcp inside/172.29.26.12(2539) -> outside/172.29.209.144(445) hit-cnt 1 first hit [0xd9e2aa06, 0x0]
Please help to rate the comments provided, if you find it useful :-)
Similar Messages
-
Hi, does anyone knows what was happened to the following PDF notes in Cisco? The PDF file is only contains 1 page compared to the original notes in html format which is about a few pages.
If there is alternative link for this document, please let me know. Thanks.
Document ID: 22040
PIX/ASA: Monitor and Troubleshoot Performance Issues
http://www.cisco.com/image/gif/paws/22040/pixperformance.pdf <PDF Notes, but 1 page only?>
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml < HTML Notes>Hi experts / marcin
can anyone of you let me know about my question related to vpn ?
Jayesh -
Hello ASA experts,
If you caught a syn flooding attacks against your ASA, what is the best approach to mitigate/prevent that from occuring? Also, what is the best method to monitor such attacks?
Best, ~sKThanks for the response! That's exactaly what we did; however, we enabled the scanning thread detection and implemented a threat-detection policy to shun any suspecious attacker.
We use Whatsup Gold and do have all of our ASAs monitored but don't have an snmp for the connection count. Can you please share the snmp active monitor used to monitor the connection count?
Much appreciated..
Best, ~sK
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bd3913.shtml
Scanning Threat Detection
Scanning Threat Detection is used in order to keep track of suspected attackers who create connections too many hosts in a subnet, or many ports on a host/subnet. Scanning Threat Detection is disabled by default.
Scanning Threat Detection builds on the concept of Basic Threat Detection, which already defines a threat category for a scanning attack. Therefore, the rate-interval, average rate (ARI), and burst rate (BRI) settings are shared between Basic and Scanning Threat Detection. The difference between the 2 features is that while Basic Threat Detection only indicates that the average or burst rate thresholds were crossed, Scanning Threat Detection maintains a database of attacker and target IP addresses that can help provide more context around the hosts involved in the scan. Additionally, only traffic that is actually received by the target host/subnet is considered by Scanning Threat Detection. Basic Threat Detection can still trigger a Scanning threat even if the traffic is dropped by an ACL.
Scanning Threat Detection can optionally react to an attack by shunning the attacker IP. This makes Scanning Threat Detection the only subset of the Threat Detection feature that can actively affect connections through the ASA.
When Scanning Threat Detection detects an attack, %ASA-4-733101 is logged for the attacker and/or target IPs. If the feature is configured to shun the attacker, %ASA-4-733102 is logged when Scanning Threat Detection generates a shun. %ASA-4-733103 is logged when the shun is removed. The show threat-detection scanning-threat command can be used in order to view the entire Scanning Threat database. -
Problem transfer TFTP through ASA 5505
Hello,
I have a problem with my ASA 5505, I am not able to transfer files bigger than 100ko using TFTP. Below my archiecture:
CME<->ASA5505<->SW3650
Here is what I get when I try to download a file located on the 3650 on my CME:
CME#copy tftp flash
Address or name of remote host [X.X.X.X]?
Source filename [cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar]?
Destination filename [cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar]?
Accessing tftp://X.X.X.X/cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar...
Loading cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar from 10.52.199.126 (via GigabitEthernet0/0): !... [timed out]
Error reading tftp://10.52.199.126/cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar (Connection timed out)
When I look on the ASA monitoring page, I see that a UDP connection is built between the ASA and the SW3650 but 2 minutes later there are "Teardown UDP connection" messages.
Can you please help me? Due to this transfer issue, I am not able to upgrade my IP Phones (the phones only download the first 2 files because there are smaller than 100ko).
Thank you in advance for your help.
Regards.
Thomas.Default UDP connection time out is 2 minutes through the ASA.
You can modify the timeout values for the specific flow from a particular source to destination . Try changing the default connection timeout of UDP
ASA(config)# access-list CONNS permit udp host CME ip tftp serverip port
ASA(config)# class-map CONNS
ASA(config-cmap)#match access-list CONNS
ASA(config)# policy-map CONNS
ASA(config-pmap)# class CONNS
ASA(config-pmap-c)# set connection timeout idle 00:30:00
ASA(config)# service-policy CONNS {global | interface interface_name}
you can also globally change the timeout value of UDP using:
ASA(config)# timeout udp 00:30:00
Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_connlimits.html#wp1080774
HTH
"Please rate helpful posts" -
Tools for monitoring and Statistic.
Hi there
I am looking for a tool that help me to monitoring and take some statistic from ASA 5500 series, for example:
monitor the number of connections in use
monitor the number of tunnels in use
monitor the number of sessions in use
monitor throughput, packets and errors on all interfaces of the Cisco ASA
monitor encrypted traffic throughput
monitor your firewall’s uptime
monitor statistics for TCP and UD
Looking at on the internet I found this tool LogicMonitor somebody knows if this tool is good and reliable???
Thanks everybodyHi,
You didn't mention if you're looking for a free or licensed tool.
We use ManageEngine/OpManager as our main monitoring and reporting (NetFlow) tool for our ASAs.
Sent from Cisco Technical Support iPhone App -
Any one tell me which protocole is use for failove in ASA & how it working.
ASAs use keepalive packets between eachother that are sent over the failover link. By using the keepalive packets, the standby ASA monitors the health status of the Active ASA. If the standby ASA stops recieving keepalive packets from the active ASA it will send out 3 test packets, out the monitored interfaces. that is to say it will send test packets out the actual interfaces that will trigger a failover if one of them fails. If the standby ASA still does not recieve a reply from the active ASA it will now assume that the active ASA is dead and will take over the role as active ASA.
The failover link is also used to replicate the configuration between the active and standby ASAs.
The state link is used to replicate the state table and other relevant active connection information.
Please remember to rate and select a correct answer -
ASA - ASDM shows Red X Connection Disconnected.
Hi everyone,
I have ASDM connection to ASA.
On the bottom i see Red X with two computers that says
ASA Syslog connection
Status is UP
ASA Monitoring Connection disconnected????????
I still have connection to ASDM need to know what does it mean by connection disconnected?
Thanks
MaheshHi Andrew,
Many thanks for useful link.
Regards
Mahesh -
Effectively blocking Bit Torrent
I am using BackTrack 5 to help monitor Bit Torrent since I have been completely ineffective in blocking it via my Cisco 5505 Firewall. I have now seen several outbound TCP connections with the connection being to my firewall's IP address. I am a rookie when it comes to using Cisco's rather clunky interface and am struggling with this. I am a software developer with very few networking skills in a company of 5! Can anyone help with the proper way to block bit torrent downloads on my Cisco asa 5505 or tell me why my BackTrack system is telling me that the firewall is connecting to the pirate bay?
Thanks in advance for any help you can give me!It would help if you provided a white-washed network diagram to see where the BackTrack software is installed, listening to traffic. Now if I were a betting person, I would lay good odds that the address BackTrack sees is the same NAT IP used for traffic to go to Internet and BackTrack is listening to traffic after it exits the ASA.
One of the things I have to be beneficial on many levels is implementing a software which uses netflow to track traffic, Scrutinizer for instance. You have all interfaces on the ASA monitored and create filters to look into almost anything crossing the ASA. (Not to plug Scrutinizer, just found it to be the best.)
Another benefit is to use it to see what applications, users, etc are eating traffic. I found a company which released new code to their web servers that did not compress pdf's after being generated, part of new code. As a result we saw a significant portion of the network traffic increase, almost double, and would not have found the culprit had it not been for netflow. -
How do I use Cisco MARS to monitor two ASA (active/stby) with IPS modules?
Hi
The two ASA with IPS modules are in active/standby mode. When I try to add both the two IP (active/standby) into the MARS, the MARS will complain duplicated hostnames.
How to setup MARS to monitor ASA with IPS with active standby topology?
Thanks!Hi,
The fundamental problem with this scenario is that you have non-failover capable modules in a failover chassis - think of the ASA failover pair as one device and the IPS modules as two completely separate devices.
Then, as already mentioned, add only the primary ASA. (The secondary will never be passing traffic in standby mode so it's not actually needed in MARS) Then, with the first IPS module you can add it as a module of the ASA or as a standalone device (MARS doesn't care). With the second IPS module the only option is to add it as a separate device anyway.
In a failover scenario the ASA's swap IP's but the IPS's don't so whereas you'll only ever get messages from the active ASA you'll get messages from both IPS IP's depending on which one happens to be in the active ASA at the time.
Don't forget that you have to manually replicate all IPS configuration every time you make a change.
HTH
Andrew. -
Best Practice for ASA Route Monitoring Options?
We have one pair Cisco ASA 5505 located in different location and there are two point to point links between those two locations, one for primary link (static route w/ low metric) and the other for backup (static route w/ high metric). The tracked options is enabled for monitoring the state of the primary route. the detail parameters regarding options as below,
Frequency: 30 seconds Data Size: 28 bytes
Threshold: 3000 milliseconds Tos: 0
Time out: 3000 milliseconds Number of Packets: 8
------ show run------
sla monitor 1
type echo protocol ipIcmpEcho 10.200.200.2 interface Intersite_Traffic
num-packets 8
timeout 3000
threshold 3000
frequency 30
sla monitor schedule 1 life forever start-time now
------ show run------
I'm not sure if the setting is so sensitive that the secondary static route begins to work right away, even when some small link flappings occur.
What is the best practice to set those parameters up in the production environment. How can we specify the reasonanble monitoring options to fit our needs.
Thank you for any idea.Hello,
Of course too sensitive might cause failover to happen when some packets get lost, but remember the whole purpose of this is to provide as less downtime to your network as possible,
Now if you tune these parameters what happen is that failover will be triggered on a different time basis.
This is taken from a cisco document ( If you tune the sla process as this states, 3 packets will be sent each 10 seconds, so 3 of them need to fail to SLA to happen) This CISCO configuration example looks good but there are network engineers that would rather to use a lower time-line than that.
sla monitor 123
type echo protocol ipIcmpEcho 10.0.0.1 interface outside
num-packets 3
frequency 10
Regards,
Remember to rate all of the helpful posts ( If you need assistance knowing how to rate a post just let me know ) -
How to monitor Local IP Pools on ASA
Is there a way to monitor the availability or usage of Local IP pools on an ASA? Maybe an OID string that can be pulled by an NMS system. I would like to be alerted prior to the pool being exhausted.
As far as I know you can check this from your external authentication server so if its cisco acs acting a s radius server for your vpn clients then check under reports and activities >> logged-in user. It will show you the connected user along with the ip address they have got.
Lists all users receiving services for a single AAA client or all AAA clients. Users accessing the network with Cisco Aironet equipment appear on the list for the access point that they are currently associated with, provided that the firmware image on the Cisco Aironet Access Point supports sending the RADIUS Service-Type attribute for rekey authentications.
Note To use the logged-in user list feature, you must configure AAA client to perform authentication and accounting using the same protocol—either TACACS+ or RADIUS.
The same can be checked from the ASA by running
show vpn-session db
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s7_72.html#wp1135352
From ASDM go to Monitoring VPN >> sessions.
Hope this helps.
Rgds
Jatin
Do rate helpful posts~ -
Monitoring ASA in Cisco Prime infrastructure 2.2
Hi everybody. I have some issue with cisco Prime Infrastructure 2.2. We use this product in our network for monitoring network devices and I need to monitor also our ASA 5550 device with soft 8.4. I added ASA to Cisco PI but see only basic component like my device can reachable via and read via snmp. But cannot see CPU, RAM, Device ENV like Temperature, l2l vpn connection, Interfaces status and Utilization that interfaces, cannot see sub interface that placed on ASA like that g0/0.20. I need fully monitor ASA and See logs and trap for my device:
CPU RAM ENV (Temperature), Interface and sub interface status, L2L VPN Status.
1 Cisco Prime infrastructure can full support ASA for monitoring and logging.. IF YES how can i configure that features in Cisco PI 2.2 for ASA
2 IF not which product Can full support that features for full monitoring and logging ASA devices
I have a little deadline for finishing
thanks everybody beforeI've not success monitoring ASA interface utilization either. I'm using PI 2.2 with device update #1. The ASA is a 5585-X with 9.2(3) software.
I have deployed the PI monitoring template to the ASA and do see its overall status and PI has enumerated the interfaces in the device page.
I even looked at a packet capture and see PI querying the values of the interface counters and those values being sent back to PI - yet I cannot select any ASA interface when drilling down under Performance Detail monitoring.
When I get some free time I will open a TAC case on it, meanwhile I am getting all the info I need from the upstream and downstream switches. -
Hi,
Does the "Number of packets" option mean that all the packets specified must exceed the threshold, or is it only one that can be missed? The internet connection for the config below is not very reliable and ping responses are regularly dropped. I beleive this could be causing the route to change to the backup connection when not needed.
ThanksHello Dustin,
The "number of packets" configuration is the amount of ICMP request packets that are going to go out from the ASA to the target, and these packets are the ones that are going to be inspected or monitored so if they are getting regularly dropped the test is not going to pass and a Failover between the routes will happen.
Please rate helpful posts.
Have a good one
Julio!!! -
Best Practices for ASA 5500 Device Monitoring
I have looked high and low and am unable to find anything on this topic. I am hoping that somebody here may be able to share some insight into what are considered the best practices for monitoring ASA's--specifically the 5510 with Sec+ License.
My current monitoring application keeps reporting issues with outbound interface buffers being too high, but there are not any performance issues and I believe the thresholds are just set absurdly low.
Thank you in advance for any assistance.Hi James,
You probably won't be able to find any all-encompassing documentation for these types of best practices that cover all scenarios. The better method would be to define exactly what items you'd like to monitor and we can provide some guidance on how to best get that working for you.
-Mike -
Monitor Inspection Load IPS ASA-SSM-20
All,
I am aware there is a feature request but don't see any updates. Taking the chance here that its fallen through the cracks and someone has figured out another way to monitor inspection load on ASA-SSM-20 IPS. We are currently running 7.0(5a)E4. I want to be able to use Solarwinds Orion to monitor Inspection Load on our IPS devices. Does anyone know if that is yet possible...if so how?
Thanks!Bump +1
Maybe you are looking for
-
I was working on an hour long standard def show. I had several audio tracks and effects going. I was really happy with the results. After I had made sure the background renders had completed, I close the app. Two days later I opened FCPX and the proj
-
"Quit unexpectedly" for most of my apps from the Creative Cloud.
"Quit unexpectedly" I've been having this issue for most of my apps from the Creative Cloud everytime I hooked up my MacbookPro to a ViewSonic VG2436 Series monitor. Once I un-hooked my laptop all my Creative Cloud apps works fine. Why is it causing
-
The latest version of quicktime does not work with windows xp pro 64bit. Do you plan on having a patch come out for it or will apple stop developing quicktime for windows xp pro 64 bit edition?
-
Hi, I am having problems updating CS4. I plan to reinstall over the weekend. I presume that I unistall first, then reinstall? Can I save my preferences for PS and Bridge? Thanks,
-
I have just bought a MacAir. The Mac shop moved my data over two days ago and my husband picked it up. The apple shop down loaded my emails up until 2 days ago. But I have just started the computer and it has not brought in emails from the past 2 day