Cisco ASA 5585-X SSP-20 8.4(2) - TCP Syslog problem

Hi,
We have a firewall service environment where logging is handled with UDP at the moment.
Recently we have noticed that some messages get lost on the way to the server (Since the server doesnt seem to be under huge stress from syslog traffic). We decided to try sending the syslog via TCP.
You can imagine my surprise when I enabled the "logging host <interface name> <server ip> tcp/1470" on an ASA Security context and find out that all the connections through that firewall are now being blocked. Granted, I could have checked the command reference for this specific command but I never even thought of the possibility of a logging command beeing able to stop all traffic on a firewall.
The TCP syslog connection failing was caused by a missmatched TCP port on the server which got corrected quickly. Even though I could now view log messages from the firewall in question in real time, the only message logged was the blocking of new connections with the following syslog message:
"%ASA-3-201008: Disallowing new connections."
Here start my questions:
- New connections are supposed to be blocked when the the TCP Syslog server aint reachable. How is it possible that I am seeing the TCP syslog sent to the server and the ASA Security Context is still blocking the traffic?
- I configured the "logging permit-hostdown" after I found the command and it supposedly should prevent the above problem/situation from happening. Yet after issuing this command on the Security Context in question, connections were still being blocked with the same syslog message. Why is this?
- Eventually I changed the logging back to UDP. This yet again caused no change to the situation. All the customer connections were still being blocked. Why is this?
- After all the above I removed all possible logging configurations from the Security Context. This had absolutely no effect on the situation either.
- As a last measure I changed to the system context of the ASA and totally removed the syslog interface from the Security Context. This also had absolutely no effect on the situation.
At the end I was forced to save the configuration on the ASAs Flash -memory, remove the Security Context, create the SC again, attach the interfaces again and load the configuration from the flash into the Security Context. This in the end corrected the problem.
Seems to me this is some sort of bug since the syslog server was receiving the syslog messages from the SC but the ASA was still blocking all new connections. Even the command "logging permit-hostdown" command didnt help or changing back to UDP.
It seems the Security Context in question just simply got stuck and continued blocking all connections even though in the end it didnt have ANY logging configurations on.
Seems to me that this is quite a risky configuration if you are possibly facing cutting all traffic for hundreds of customers when the syslog connection is lost or the above situation happens and isnt corrected by any of the above measures we took (like the command "logging permit-hostdown" which is supposed to avoid this situation alltogether).
- Jouni

Hi,
I FINALLY had the time to look at this issue as I was testing something else in our lab too.
In short, here is what I did:
I configured the TCP logging in the same way as in the original post
I configured the TCP logging giving the commands in different order
Did some other tests related to the proble
Device used: ASA 5585-X
Software: 8.4(2)
Original Device and software : ASA 5585-X running 8.4(1)9
Heres the above scenarions and what actually happened
Original situation
Before doing any changes the test firewall context in question is working normally and the log sent by UDP/514 is arriving to the Syslog server as usual.
I now change the syslog to TCP by giving a command "logging host tcp/1471" (actual port being TCP/1470)
The firewall immediatly starts blocking all connections going through it.
I change the configuration to the correct port TCP/1470 after which log starts appearing in my realtime view on the syslog server. The firewall context in question is still sending only the message "Disallowing new connections" even though the TCP -port on the Syslog server is clearly reachable and the connection is active.
After this I try to do the suggest "clear local-host all" command. This has no effect on the firewall context. No connections are getting through. No connections/xlates are formed on the firewall. I can only see the firewall doing DNS queries with its outside interface (related to another configuration).
After this I try to start correcting the situation the same way as before. I add "logging permit-hostdown" command which has no effect on the situation. I remove all logging configurations and it doesnt have any effect on the situation.
After this I activate UDP logging and can see the logs arriving on the syslog server but again I can only see "Disallowing new connections" message.
In the end I have no other option (to my knowledge) other than to delete the Security Context and create it again with same interfaces and with the configuration saved to the Flash -memory of the ASA.
After this the connections work like usual. (UDP logging in the saved configuration)
Giving the configurations in different order
After I've created the firewall again and all is working I have another try in configuring the TCP Syslog while giving the commands in different order.
First I add the command "logging permit-hostdown" command
Then I add the command "logging host tcp/1470"
After this logs start arriving on the syslog server and connections work as usual. Seems giving the "logging permit-hostdown" first before any other configurations is the right way to go.
Removing the "logging permit-hostdown" command
After I saw that everything was working I tried to remove the "logging permit-hostdown" command and see what happens. Everything worked fine.
Configuring wrong TCP port to "logging host" command
I decide to try and change the TCP port used to a wrong one and see if anything happens. (logging permit-hostdown is active). Firewall works as usual. Naturally no logs can be viewed at the syslog server.
Configuring the TCP Syslogging without "logging permit-hostdown" but with correct port
Finally I tried to configure the TCP Syslogging on ASA with the correct TCP port without issuing the "logging permit-hostdown" command. Everything seemed to work fine after this.
So in conclusion it seems that IF you don't have the "logging permit-hostdown" command issued before you start configuring "logging host tcp/xxxx" , you might run into problems IF you don't have matching settings on the ASA sending the log and the Syslog server receiving the log.
There doesnt seem to be any easy way to correct the situation (with the connections getting blocked) after you have once messed up the configurations. Seems your only option is to reconfigure the Security Context (which is easy) or if this problem exists in the same way in a single ASA you will have to reboot the device which means longer downtime than reconfiguring a context.
There would still be a couple of things to test but at the moment I have no more time for this. I will update if there is any new information.
- Jouni

Similar Messages

  • Cisco ASA 5585-X SSP-20 SSL wildcard SSL certificate support ?

    Hello
    i want to verify if Cisco ASA 5585-X SSP-20 supports Wildcard SSL's.
    Cheers

    Supports them how?
    As certificates issued to the ASA and properly bound to it's interfaces to support SSL VPN or ASDM access - yes.
    You can configure a wildcard (or any other) certificate improperly and cause things not to work. However it's not a limitation of the device's operating system not supporting it.

  • Symantec PKI on Cisco ASA 5585

    I am using a Cisco ASA 5585 in my network, the decision was made to use Symantec PKIs for the certificates. My question is, what the correct syntex would be to implement these PKIs on the ASA. I am trying to get this on the first go, as I want to limit down time.

    Hi,
    250 virtual contexts and 1024 VLAN’s are supported.
    Don't forget to rate helpfull posts.
    Sajid Ali Pathan.

  • Cisco asa 5585 syslog options for ips?

    We have CISCO ASA 5585 with a separate module for IPS, I want to know what are the options for configuring syslog? Its nearly impossible to find ; and there are some forums on the internet which says that cisco ips stores logs in native / proprietary format and cannot be exported.
    Please elaborate
    Thanks.

    Some sensor-related events generate syslog messages. Those will be forwarded according to the parent ASA syslog settings.
    Detailed IPS events (signature triggers actions etc.) are stored locally and must be retrieved using the SDEE protocol (tcp-based). That requires use of a management system like Cisco Security Manager (CSM), IPS Manager Express (IME) etc. There is a good document here that explains SDEE in more detail.

  • Cisco asa 5585 MultiContext !!!!

    Hi,
    Is it possible to have context in transperant mode and routed mode. Means if i need three context then 2 of them is in routed mode and one of them is in transperant mode. If yes then how, i can 't find this info in cisco website.???
    I am havin 5585-x and asa version 8.4
    thnx

    Hi,
    I found some more info see at this document
    http://www.cisco.com/en/US/partner/docs/security/asa/asa84/command/reference/ef.html#wp2016768
    Usage Guidelines
    In 8.4(1) and earlier in In multiple context mode, you can use only one firewall mode for all contexts. You must set the mode in the system configuration. This command also appears in each context configuration for informational purposes only; you cannot enter this command in a context.
    In 8.5(1) and later in multiple context mode, you can set this command per context.
    When you change modes, the ASA clears the configuration because many commands are not supported for both modes. If you already have a populated configuration, be sure to back up your configuration before changing the mode; you can use this backup for reference when creating your new configuration.
    If you download a text configuration to the ASA that changes the mode with the firewall transparent command, be sure to put the command at the top of the configuration; the ASA changes the mode as soon as it reads the command and then continues reading the configuration you downloaded. If the command is later in the configuration, the ASA clears all the preceding

  • Cisco ASA 5585 Product Numbers..

    Hello,
    I think this will be any easy one for someone.. what do you actually get with each of these product numbers?
    ASA5585-S60-2A-K9 - I suspect this might be a bundle.
    ASA-SSP-60-INC - From what I can tell this is the SSP-60 module.
    Thanks,
    Nick

    check the following link
    https://supportforums.cisco.com/document/47881/sdee-and-ips

  • Command to View LDAP Password on Cisco ASA 5520

    Hello
    I am migrating from a Cisco ASA 5520 (ASA version 8.4(6)5 to a Cisco ASA 5585. We have LDAP issues logging into to our vpn client software. I assume the LDAP password may be incorrectly entered on the new 5585. No service password- encryption or more running:config won't show the encrypted LDAP password. What is the command to view that?
    Thanks!
    Matt

    Thankyou Jennifer for the responds.
    Could you please help me on how to enable "memberOf" attribute on AD to be pushed to ASA for the OU matching.
    i have already set the "Remote Dialin" property of user account name "testvendor" in AD as "Allow Access" .It can be shown in the debug output as below.
    [454095] sAMAccountName: value = testvendor
    [454095] sAMAccountType: value = 805306368
    [454095] userPrincipalName: value = [email protected]
    [454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
    [454095] msNPAllowDialin: value = TRUE
    [454095] dSCorePropagationData: value = 20111026081253.0Z
    [454095] dSCorePropagationData: value = 20111026080938.0Z
    [454095] dSCorePropagationData: value = 16010101000417.0Z
    Is their any other settings that i need to do it on AD ?
    Kindly advice
    Regards
    Shiji

  • Vlan on asa-5585

    Hi,
    Is there any way to create vlans on cisco asa 5585 similar way we do for cisco switches.
    The asa in this case is an interface for subsidary users to connect into this new network.
    We require few vlans to be created for some servers on the firewall. the firewall should be the gateway for these servers.
    eg. vlan 100 - 192.168.100.1/24 should be on the ASA firewall.
    How do we achieve this?
    Appreciate all help on this.

    Hi,
    You will have to configure atleast one physical interface as a Trunk interface if you want to bring the Vlan all the way to the ASA. Essentially the configuration follows the same lines as configuring a Cisco router to act as the gateway for multiple Vlans behind a switch.
    The actual configuration format depends on how you have set up the ASA. Is it Single Context or Multiple Context?
    In Single Context the configuration would be something like this
    interface GigabitEthernet0/0
    description TRUNK
    interface GigabitEthernet0/0.100
    vlan 100
    nameif LAN
    security-level 100
    ip add 10.10.10.1 255.255.255.0
    interface GigabitEthernet0/0.200
    vlan 200
    nameif DMZ
    security-level 50
    ip add 192.168.10.1 255.255.255.0
    If you are running Multiple Context mode the configuration could be something like this
    interface GigabitEthernet0/0
    description TRUNK
    interface GigabitEthernet0/0.100
    description LAN
    vlan 100
    interface GigabitEthernet0/0.200
    description DMZ
    vlan 200
    context EXAMPLE-CONTEXT
    allocate-interface GigabitEthernet0/0.100
    allocate-interface GigabitEthernet0/0.200
    config-url disk0:/EXAMPLE-CONTEXT.cfg
    Or something along these lines
    Hope this helps
    Please do remember to mark a reply as the correct answer if it answered your question.
    Feel free to ask more if needed.
    - Jouni

  • ASA 5585 setting unchecked

    i am seeing a strange issue on 2 of my Cisco ASA 5585s
    randomly the "Enable inbound VPN sessions to bypass interface access list. Group...." setting is getting unchecked.
    i have verified that no one is logging into the system
    is this a bug in the firmware or the ASDM ?

    Hi,
    I have not run into this issue atleast.
    First and only thing that comes to mind is that someone is using the ASDMs VPN Wizard to configure new VPN connections and during that changes this Global Setting that you mention.
    On the CLI format the command is
    sysopt connection permit-vpn
    The above is the default setting and will mean that any traffic coming through a VPN connection will bypass the interface ACL of the interface where the VPN is connected to.
    The below form of the command changes the behaviour of the ASA so that any connection will need to be allowed in the interface ACL of the interface where the VPN is connected to.
    no sysopt connection permit-vpn
    You can view the current setting (among all the other system option settings) with
    show run all sysopt
    - Jouni

  • Which routing protocols are supported on ASA 5585

    Hi,
    I am curious to know which routing protocol is well supported on Cisco ASA 5585. do someone on the forum has implemented routing on ASA?
    I have ASA 5585 on context mode, as of now 4 contexts have been created. upstream device is Nexus.
    I have ASA with Software Version 8.4(4)1 and Device Manager Version 6.4(9).
    if someone can point me to good implemented example of routing protocol to their environment (like OSPF, BGP) that would be great.
    Thanks

    You're welcome.
    Multiple contexts adds another twist - in ASA 8.4 dynamic routing protocols are not supported at all for multiple contexts. Reference.
    ASA 9.0 added support for dynamic routing protocols in multiple context modes, including OSPF v2 (but not v3 for IPv6). Reference.
    FYI ASA 9.1(2) is current as of this writing and is the recommended release in the 9.x train. (Mentioned near the end of the latest TAC Security podcast - episode #37 here.)

  • Open nms and Asa 5585-ssp-20

    Have anybody configured open nms to monitor Asa 5585... I am
    Trying to get a difference in MIB's in 5540 vs 5585. Please if someone know the MIB difference please let me know. Thanks
    Sent from Cisco Technical Support iPhone App

    Send and email to [email protected] and provide them the S/N of the chassis.   Inform them what you want to do and they'll verify the data for you.

  • Business Continuity features available in ASA-5585-x

    Hi,
    in Data Center environment using only one ASA-5585-x, what kind of business continuity features, a single 5585-x offers or can be configured to keep the business running, in case the firewall got failed.
    Thanks
    Mike

    Hi,
    I am not sure if I understood the question completely.
    I am not really sure how any configuration on the device can help you if the actual device fails completely.
    With regards to the hardware I think only the high end model with SSP-60 comes by default with 2 PSUs while others come with 1 PSUs though you can install a second PSU to the units and in this way provide some redundancy in the event of power failure though that naturally depends on other factors than the ASA alone.
    To my understanding it is also possible to set up the single ASA 5585-X unit with dual SSPs. I have not had to set up such an environment so I am not sure how it exactly works. I am not sure how they handle together. I can't seem to find the document I was once reading about this. But I would imagine that this could provide redudancy to the firewall setup.
    Then there is also Clustering ASAs (not same as Failover pair) units but again this naturally requires additional hardware and is something I have not setup up myself.
    Then there is naturally configuring 2 identical ASA 5585-X units in Failover pair (Active/Standby or Active/Active) to provide redudancy in case of hardware failure.
    We have some less critical environments set up with single ASA5585-X units and we naturally dont guarantee the same availability for those services as with setup where we have 2x ASA5585-X units in Failover. We do have replacement units for these and can naturally get replacements otherwise also.
    - Jouni

  • More Detailed Specifications for ASA 5585-X

    Hi:
    Does anyone know about a document in which is specified who may ACE rules are supported in an ASA5585-SSP-20?
    I need to compare this an other several specification versus a FWSM. I found the information for the module, but not for the ASA 5585-X..
    In the data sheet this information is not specified
    Thank you very much

    Hello Marco,
    That is because the FWSM does have a limit,  I have not seen any limit on the ASA, The asa does support way way way more than the FWSM, I have not seen any limit  yet but I have heard that it will let you know as  soon as is full of ACL's or you will start seeing a degradation of the performance. Anyway dude you have an 5585, that is a giant and amazing box You are more than safe.
    Hope this helps
    Julio

  • Visio stencil for ASA 5585-X?

    Hello,
    Can anybody help pointing me to where I can get a visio stencil for a asa-5585-x.
    I really appreciate it.
    Thanks,
    John

    Hi John,
    The official Cisco Visio stencils can be found here:
    http://www.cisco.com/en/US/partner/products/hw/prod_cat_visios.html
    I don't see the 5585 there yet, but once it's available that set should be updated.
    -Mike

  • ASA 5585-X Route-Map

    Hi,
    how can apply  route-map rules to an interface ?
    i set up some rules but i cannot apply these rules any interface.
    Thanks a lot.

    Thank you Kanwal.
    in a cisco router you can apply your route-map by using command ip policy map ... İ didnt find any command like this. İ set up some match and set conditions but i do not apply any interface.
    can i use route-map to manipulate routing table İn asa 5585-x.?
    sincerely

Maybe you are looking for