On Wed, 16 Dec 2009, Tony Varriale wrote:
Try to get a bugid and make sure the recommended upgrade fixes your problem.
That's indeed the proper thing to do. And please, after making sure - also
let the case owner know, that it did fix the problem - it's a step
sometimes overseen :-)
I've had a couple logging issues that had no id and TAC just said upgrade.
shoot me the case#s unicast, if you still have them. The one I found in a
quick search did mention the bug ids along with the pretty detailed
explanations for each, but maybe there were some others where there was
less info, that I could not find...
As a side note, have you had the issue of traffic blowing by an ACE? :)
http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml ?
There could be some other scenarios where by tweaking the object group one
gets the ACL exploded so much that it does not fit into the network
processors anymore - then the previously compiled version is being used -
but generally you get a pretty prominent warning about that.
thanks,
andrew
tv
----- Original Message ----- From: "Holemans Wim" <wim.holem...@ua.ac.be>
To: <cisco-nsp@puck.nether.net>
Sent: Wednesday, December 16, 2009 9:44 AM
Subject: [c-nsp] FWSM logging problem
It seems our FWSM doesn't log all denied ACLs. I blocked an IP address
on our FWSM and wanted to see whomever on campus is trying to access
this address (Botnet C&C).
I added the following line in the ACL (even raised priority), you can
see that the rules triggers when I tried to telnet the address :
access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4
log critical interval 30 (hitcnt=9) 0x6e051e8c
There is however no corresponding syslog message on our syslog server or
in the buffered logs on the FWSM.
These are our logging settings : already raised queue size, some
messages moved to another log level so they don't get send to our syslog
server. ACL log messages are normally of ID 106100 level debugging, I
can find several of them on the syslog server but not for the specifiec
ACE.
logging enable
logging timestamp
logging emblem
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap informational
logging asdm informational
logging queue 1024
logging host DA-rt x.x.x.x
logging message 305010 level debugging
logging message 305009 level debugging
logging message 302015 level debugging
logging message 302014 level debugging
logging message 302013 level debugging
logging message 302016 level debugging
logging message 302021 level debugging
Anyone has a clue on how to get all syslog messages for the ACE's that
have a log part ?
Wim Holemans
Netwerkdienst Universiteit Antwerpen
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/