Cisco ASA 5585-X SSP-20 8.4(2) - TCP Syslog problem
Hi,
We have a firewall service environment where logging is handled with UDP at the moment.
Recently we have noticed that some messages get lost on the way to the server (Since the server doesnt seem to be under huge stress from syslog traffic). We decided to try sending the syslog via TCP.
You can imagine my surprise when I enabled the "logging host <interface name> <server ip> tcp/1470" on an ASA Security context and find out that all the connections through that firewall are now being blocked. Granted, I could have checked the command reference for this specific command but I never even thought of the possibility of a logging command beeing able to stop all traffic on a firewall.
The TCP syslog connection failing was caused by a missmatched TCP port on the server which got corrected quickly. Even though I could now view log messages from the firewall in question in real time, the only message logged was the blocking of new connections with the following syslog message:
"%ASA-3-201008: Disallowing new connections."
Here start my questions:
- New connections are supposed to be blocked when the the TCP Syslog server aint reachable. How is it possible that I am seeing the TCP syslog sent to the server and the ASA Security Context is still blocking the traffic?
- I configured the "logging permit-hostdown" after I found the command and it supposedly should prevent the above problem/situation from happening. Yet after issuing this command on the Security Context in question, connections were still being blocked with the same syslog message. Why is this?
- Eventually I changed the logging back to UDP. This yet again caused no change to the situation. All the customer connections were still being blocked. Why is this?
- After all the above I removed all possible logging configurations from the Security Context. This had absolutely no effect on the situation either.
- As a last measure I changed to the system context of the ASA and totally removed the syslog interface from the Security Context. This also had absolutely no effect on the situation.
At the end I was forced to save the configuration on the ASAs Flash -memory, remove the Security Context, create the SC again, attach the interfaces again and load the configuration from the flash into the Security Context. This in the end corrected the problem.
Seems to me this is some sort of bug since the syslog server was receiving the syslog messages from the SC but the ASA was still blocking all new connections. Even the command "logging permit-hostdown" command didnt help or changing back to UDP.
It seems the Security Context in question just simply got stuck and continued blocking all connections even though in the end it didnt have ANY logging configurations on.
Seems to me that this is quite a risky configuration if you are possibly facing cutting all traffic for hundreds of customers when the syslog connection is lost or the above situation happens and isnt corrected by any of the above measures we took (like the command "logging permit-hostdown" which is supposed to avoid this situation alltogether).
- Jouni
Hi,
I FINALLY had the time to look at this issue as I was testing something else in our lab too.
In short, here is what I did:
I configured the TCP logging in the same way as in the original post
I configured the TCP logging giving the commands in different order
Did some other tests related to the proble
Device used: ASA 5585-X
Software: 8.4(2)
Original Device and software : ASA 5585-X running 8.4(1)9
Heres the above scenarions and what actually happened
Original situation
Before doing any changes the test firewall context in question is working normally and the log sent by UDP/514 is arriving to the Syslog server as usual.
I now change the syslog to TCP by giving a command "logging host tcp/1471" (actual port being TCP/1470)
The firewall immediatly starts blocking all connections going through it.
I change the configuration to the correct port TCP/1470 after which log starts appearing in my realtime view on the syslog server. The firewall context in question is still sending only the message "Disallowing new connections" even though the TCP -port on the Syslog server is clearly reachable and the connection is active.
After this I try to do the suggest "clear local-host all" command. This has no effect on the firewall context. No connections are getting through. No connections/xlates are formed on the firewall. I can only see the firewall doing DNS queries with its outside interface (related to another configuration).
After this I try to start correcting the situation the same way as before. I add "logging permit-hostdown" command which has no effect on the situation. I remove all logging configurations and it doesnt have any effect on the situation.
After this I activate UDP logging and can see the logs arriving on the syslog server but again I can only see "Disallowing new connections" message.
In the end I have no other option (to my knowledge) other than to delete the Security Context and create it again with same interfaces and with the configuration saved to the Flash -memory of the ASA.
After this the connections work like usual. (UDP logging in the saved configuration)
Giving the configurations in different order
After I've created the firewall again and all is working I have another try in configuring the TCP Syslog while giving the commands in different order.
First I add the command "logging permit-hostdown" command
Then I add the command "logging host tcp/1470"
After this logs start arriving on the syslog server and connections work as usual. Seems giving the "logging permit-hostdown" first before any other configurations is the right way to go.
Removing the "logging permit-hostdown" command
After I saw that everything was working I tried to remove the "logging permit-hostdown" command and see what happens. Everything worked fine.
Configuring wrong TCP port to "logging host" command
I decide to try and change the TCP port used to a wrong one and see if anything happens. (logging permit-hostdown is active). Firewall works as usual. Naturally no logs can be viewed at the syslog server.
Configuring the TCP Syslogging without "logging permit-hostdown" but with correct port
Finally I tried to configure the TCP Syslogging on ASA with the correct TCP port without issuing the "logging permit-hostdown" command. Everything seemed to work fine after this.
So in conclusion it seems that IF you don't have the "logging permit-hostdown" command issued before you start configuring "logging host tcp/xxxx" , you might run into problems IF you don't have matching settings on the ASA sending the log and the Syslog server receiving the log.
There doesnt seem to be any easy way to correct the situation (with the connections getting blocked) after you have once messed up the configurations. Seems your only option is to reconfigure the Security Context (which is easy) or if this problem exists in the same way in a single ASA you will have to reboot the device which means longer downtime than reconfiguring a context.
There would still be a couple of things to test but at the moment I have no more time for this. I will update if there is any new information.
- Jouni
Similar Messages
-
Cisco ASA 5585-X SSP-20 SSL wildcard SSL certificate support ?
Hello
i want to verify if Cisco ASA 5585-X SSP-20 supports Wildcard SSL's.
CheersSupports them how?
As certificates issued to the ASA and properly bound to it's interfaces to support SSL VPN or ASDM access - yes.
You can configure a wildcard (or any other) certificate improperly and cause things not to work. However it's not a limitation of the device's operating system not supporting it. -
Symantec PKI on Cisco ASA 5585
I am using a Cisco ASA 5585 in my network, the decision was made to use Symantec PKIs for the certificates. My question is, what the correct syntex would be to implement these PKIs on the ASA. I am trying to get this on the first go, as I want to limit down time.
Hi,
250 virtual contexts and 1024 VLAN’s are supported.
Don't forget to rate helpfull posts.
Sajid Ali Pathan. -
Cisco asa 5585 syslog options for ips?
We have CISCO ASA 5585 with a separate module for IPS, I want to know what are the options for configuring syslog? Its nearly impossible to find ; and there are some forums on the internet which says that cisco ips stores logs in native / proprietary format and cannot be exported.
Please elaborate
Thanks.Some sensor-related events generate syslog messages. Those will be forwarded according to the parent ASA syslog settings.
Detailed IPS events (signature triggers actions etc.) are stored locally and must be retrieved using the SDEE protocol (tcp-based). That requires use of a management system like Cisco Security Manager (CSM), IPS Manager Express (IME) etc. There is a good document here that explains SDEE in more detail. -
Cisco asa 5585 MultiContext !!!!
Hi,
Is it possible to have context in transperant mode and routed mode. Means if i need three context then 2 of them is in routed mode and one of them is in transperant mode. If yes then how, i can 't find this info in cisco website.???
I am havin 5585-x and asa version 8.4
thnxHi,
I found some more info see at this document
http://www.cisco.com/en/US/partner/docs/security/asa/asa84/command/reference/ef.html#wp2016768
Usage Guidelines
In 8.4(1) and earlier in In multiple context mode, you can use only one firewall mode for all contexts. You must set the mode in the system configuration. This command also appears in each context configuration for informational purposes only; you cannot enter this command in a context.
In 8.5(1) and later in multiple context mode, you can set this command per context.
When you change modes, the ASA clears the configuration because many commands are not supported for both modes. If you already have a populated configuration, be sure to back up your configuration before changing the mode; you can use this backup for reference when creating your new configuration.
If you download a text configuration to the ASA that changes the mode with the firewall transparent command, be sure to put the command at the top of the configuration; the ASA changes the mode as soon as it reads the command and then continues reading the configuration you downloaded. If the command is later in the configuration, the ASA clears all the preceding -
Cisco ASA 5585 Product Numbers..
Hello,
I think this will be any easy one for someone.. what do you actually get with each of these product numbers?
ASA5585-S60-2A-K9 - I suspect this might be a bundle.
ASA-SSP-60-INC - From what I can tell this is the SSP-60 module.
Thanks,
Nickcheck the following link
https://supportforums.cisco.com/document/47881/sdee-and-ips -
Command to View LDAP Password on Cisco ASA 5520
Hello
I am migrating from a Cisco ASA 5520 (ASA version 8.4(6)5 to a Cisco ASA 5585. We have LDAP issues logging into to our vpn client software. I assume the LDAP password may be incorrectly entered on the new 5585. No service password- encryption or more running:config won't show the encrypted LDAP password. What is the command to view that?
Thanks!
MattThankyou Jennifer for the responds.
Could you please help me on how to enable "memberOf" attribute on AD to be pushed to ASA for the OU matching.
i have already set the "Remote Dialin" property of user account name "testvendor" in AD as "Allow Access" .It can be shown in the debug output as below.
[454095] sAMAccountName: value = testvendor
[454095] sAMAccountType: value = 805306368
[454095] userPrincipalName: value = [email protected]
[454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
[454095] msNPAllowDialin: value = TRUE
[454095] dSCorePropagationData: value = 20111026081253.0Z
[454095] dSCorePropagationData: value = 20111026080938.0Z
[454095] dSCorePropagationData: value = 16010101000417.0Z
Is their any other settings that i need to do it on AD ?
Kindly advice
Regards
Shiji -
Hi,
Is there any way to create vlans on cisco asa 5585 similar way we do for cisco switches.
The asa in this case is an interface for subsidary users to connect into this new network.
We require few vlans to be created for some servers on the firewall. the firewall should be the gateway for these servers.
eg. vlan 100 - 192.168.100.1/24 should be on the ASA firewall.
How do we achieve this?
Appreciate all help on this.Hi,
You will have to configure atleast one physical interface as a Trunk interface if you want to bring the Vlan all the way to the ASA. Essentially the configuration follows the same lines as configuring a Cisco router to act as the gateway for multiple Vlans behind a switch.
The actual configuration format depends on how you have set up the ASA. Is it Single Context or Multiple Context?
In Single Context the configuration would be something like this
interface GigabitEthernet0/0
description TRUNK
interface GigabitEthernet0/0.100
vlan 100
nameif LAN
security-level 100
ip add 10.10.10.1 255.255.255.0
interface GigabitEthernet0/0.200
vlan 200
nameif DMZ
security-level 50
ip add 192.168.10.1 255.255.255.0
If you are running Multiple Context mode the configuration could be something like this
interface GigabitEthernet0/0
description TRUNK
interface GigabitEthernet0/0.100
description LAN
vlan 100
interface GigabitEthernet0/0.200
description DMZ
vlan 200
context EXAMPLE-CONTEXT
allocate-interface GigabitEthernet0/0.100
allocate-interface GigabitEthernet0/0.200
config-url disk0:/EXAMPLE-CONTEXT.cfg
Or something along these lines
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni -
i am seeing a strange issue on 2 of my Cisco ASA 5585s
randomly the "Enable inbound VPN sessions to bypass interface access list. Group...." setting is getting unchecked.
i have verified that no one is logging into the system
is this a bug in the firmware or the ASDM ?Hi,
I have not run into this issue atleast.
First and only thing that comes to mind is that someone is using the ASDMs VPN Wizard to configure new VPN connections and during that changes this Global Setting that you mention.
On the CLI format the command is
sysopt connection permit-vpn
The above is the default setting and will mean that any traffic coming through a VPN connection will bypass the interface ACL of the interface where the VPN is connected to.
The below form of the command changes the behaviour of the ASA so that any connection will need to be allowed in the interface ACL of the interface where the VPN is connected to.
no sysopt connection permit-vpn
You can view the current setting (among all the other system option settings) with
show run all sysopt
- Jouni -
Which routing protocols are supported on ASA 5585
Hi,
I am curious to know which routing protocol is well supported on Cisco ASA 5585. do someone on the forum has implemented routing on ASA?
I have ASA 5585 on context mode, as of now 4 contexts have been created. upstream device is Nexus.
I have ASA with Software Version 8.4(4)1 and Device Manager Version 6.4(9).
if someone can point me to good implemented example of routing protocol to their environment (like OSPF, BGP) that would be great.
ThanksYou're welcome.
Multiple contexts adds another twist - in ASA 8.4 dynamic routing protocols are not supported at all for multiple contexts. Reference.
ASA 9.0 added support for dynamic routing protocols in multiple context modes, including OSPF v2 (but not v3 for IPv6). Reference.
FYI ASA 9.1(2) is current as of this writing and is the recommended release in the 9.x train. (Mentioned near the end of the latest TAC Security podcast - episode #37 here.) -
Have anybody configured open nms to monitor Asa 5585... I am
Trying to get a difference in MIB's in 5540 vs 5585. Please if someone know the MIB difference please let me know. Thanks
Sent from Cisco Technical Support iPhone AppSend and email to [email protected] and provide them the S/N of the chassis. Inform them what you want to do and they'll verify the data for you.
-
Business Continuity features available in ASA-5585-x
Hi,
in Data Center environment using only one ASA-5585-x, what kind of business continuity features, a single 5585-x offers or can be configured to keep the business running, in case the firewall got failed.
Thanks
MikeHi,
I am not sure if I understood the question completely.
I am not really sure how any configuration on the device can help you if the actual device fails completely.
With regards to the hardware I think only the high end model with SSP-60 comes by default with 2 PSUs while others come with 1 PSUs though you can install a second PSU to the units and in this way provide some redundancy in the event of power failure though that naturally depends on other factors than the ASA alone.
To my understanding it is also possible to set up the single ASA 5585-X unit with dual SSPs. I have not had to set up such an environment so I am not sure how it exactly works. I am not sure how they handle together. I can't seem to find the document I was once reading about this. But I would imagine that this could provide redudancy to the firewall setup.
Then there is also Clustering ASAs (not same as Failover pair) units but again this naturally requires additional hardware and is something I have not setup up myself.
Then there is naturally configuring 2 identical ASA 5585-X units in Failover pair (Active/Standby or Active/Active) to provide redudancy in case of hardware failure.
We have some less critical environments set up with single ASA5585-X units and we naturally dont guarantee the same availability for those services as with setup where we have 2x ASA5585-X units in Failover. We do have replacement units for these and can naturally get replacements otherwise also.
- Jouni -
More Detailed Specifications for ASA 5585-X
Hi:
Does anyone know about a document in which is specified who may ACE rules are supported in an ASA5585-SSP-20?
I need to compare this an other several specification versus a FWSM. I found the information for the module, but not for the ASA 5585-X..
In the data sheet this information is not specified
Thank you very muchHello Marco,
That is because the FWSM does have a limit, I have not seen any limit on the ASA, The asa does support way way way more than the FWSM, I have not seen any limit yet but I have heard that it will let you know as soon as is full of ACL's or you will start seeing a degradation of the performance. Anyway dude you have an 5585, that is a giant and amazing box You are more than safe.
Hope this helps
Julio -
Visio stencil for ASA 5585-X?
Hello,
Can anybody help pointing me to where I can get a visio stencil for a asa-5585-x.
I really appreciate it.
Thanks,
JohnHi John,
The official Cisco Visio stencils can be found here:
http://www.cisco.com/en/US/partner/products/hw/prod_cat_visios.html
I don't see the 5585 there yet, but once it's available that set should be updated.
-Mike -
Hi,
how can apply route-map rules to an interface ?
i set up some rules but i cannot apply these rules any interface.
Thanks a lot.Thank you Kanwal.
in a cisco router you can apply your route-map by using command ip policy map ... İ didnt find any command like this. İ set up some match and set conditions but i do not apply any interface.
can i use route-map to manipulate routing table İn asa 5585-x.?
sincerely
Maybe you are looking for
-
Please can anyone help? My brother has given me his old iPod 1st Gen 30GB. It has loads of music on it that I love and don't want to lose however there is quite a bit of stuff that I really don't want. How can I remove the songs I don't like without
-
How do I calculate 'uptime' of a digital output
Hi everybody, I'm new to these forums and I am currently evaluating Labview for a series of lab tests where we measure energy balance in a chemical reaction. I've already I have a USB 6008 wired to a relay drive (thanks to these forums) and a heatin
-
Control of file/folder access
Hi!, how can I set access control for files / folders?
-
Segmentation fault when enabling replication with SQL API
Hi, I've compiled BDB 5.3.21 on Ubuntu 11.04 (x86) with the following configure options: ../dist/configure enable-sql enable-sql_compat enable-debug enable-tcl --with-tcl=/usr/lib I was able to follow the Replication Usage Examples given in "Getting
-
Variable Popup window depends on PC
Hello this is Calvin from Korea. There are some queries with exit variable in our system and we faced some weird problem. We need to choose variable to execute this kind of query and the popup window is supposed to appear automatically. The problem i