Cisco Firewall :: ASA 5500 / 5580 Syslog Keeps Sending To Old Server
Oct 26, 2011
We use multiple ASA 5500/5580 cluster systems running 8.3 software versions.Actually we send all our FW syslog data to a SIEM appliance in a DMZ on a remote firewall (non-asa). Recently we suffered a strange incident while implementing a new SIEM collection station now situated in a dmz that is located on one of the ASA contexts. We redirected the syslog streams to the new client for one of the contexts on the ASA cluster that holds the new SIEM agent DMZ..since we did this and redirected the syslog we see double traffic and spoofing errors on that context
a/ the ASA keeps sending out the syslog traffic to the OLD SIEM agent server ip (there is however no trace of its ip in the config)
b/ the traffic leaving the interconnection interface towards the OLD SIEM agent gets a SPOOFING error on the traffic
c/ strangely the data gets also correctly forwarded to the new SIEM collection stations.
We started out with redirecting traffic on only one of the 5 contexts to the new environment and kept logging the others to the old system.I finally got out of the issue by reconfiguring al the other contexts to forward their syslog towards the same new server , since that moment we no longer have the double logging and spoofing error , all syslog traffic goes correctly to the new SIEM agent. It looked like some remenants of the old syslog config remainded on the asa event after deleting and introducing a new config line (we used the asdm to execute the action) as said either it kept the old config or it looked in the other context and "decided" to keep sending to the old server also mentioned in that syslog can find the behaviour in any buglists either way.
View 1 Replies
ADVERTISEMENT
Jan 15, 2012
Recently i have upgraded the IOS of ASA5550 (in HA mode) to 8.4.2 from 8.0.5, after OS upgrade we found that the syslog from thses firewalls are not getting captured/transfered to centralised syslog server. The server is reachable from the firewalls.
View 3 Replies
View Related
Mar 13, 2011
Is it possible for a Cisco ASA 5580 to create Syslog entries when someone connects via HTTPS or SSH to it. I need to obtain information from Syslog when someone does this.
View 5 Replies
View Related
May 31, 2012
I would like to send my ASA 5500 logs to more than one syslog server - is this possible? I can't seem to find it in the documentation.
View 3 Replies
View Related
May 9, 2011
I need to setup a syslog server for PIX w/ 6.2 and was hoping to get detailed instruction how to go about it. I would like exact syntax w/ an example on the pix and any configuration on the computer that will be receiving the log info. I have downloaded tftpd32 onto computer
View 1 Replies
View Related
Apr 21, 2013
on ASA 5540 , i configured the logging setup as following :
log in to the internal buffer : buffer size 1048576 bytes
Then i save the buffer to FTP server to save the log messages in continuously way everything was working fine but suddenly sending the ftp traffic to FTP traffic has stopped suddenly before in the live log viewer it was showing when ASA throws the ftp traffic to the ftp server but this stopped suddenly nothing has changed in the ftp server setting (same username and password and the connectivity is there) sending logging traffic to the ftp server came back just when i reboot the ASA.but this is not solution.
View 5 Replies
View Related
Sep 16, 2012
It is a Customer requirement to send 802.11 client association/disassociation logs to the Syslog server in a Unified Wireless system. (AIR-CT5508 + LAP1142) [code] Unfortunately I didn't find such logs even in Msg Log with the severity level set to debugging.I was able to do client assoc/disassoc logging with SNMP trap + trap receiver software, BUT is there any way to do this with Syslog?
View 1 Replies
View Related
May 7, 2013
I'm building the use case to test / detect for rogue devices on the network. I have in my enviroment Lan controller 5500 controller with AP (aironet 3500). I want to detect for rogue devices/ap connected to my network. I know before i can see this activity on the network i have to configure the controller / ap to detect this behavior. I'm doing this step.
Authorize AP's against AAA function to make sure that all the AP's registering to your WLC are authorized AP's of the network.By enabling this feature, only those AP's whose mac-addresses are present in the authorization list, will be able to register to the URL
Using Rogue detection. feature, the WLC will be able to detect any AP that is not a part of its RF group and contain it.URL
NOTE: from the forum I have seen other talks about the same issue and saying that if I have any APs in "Rogue Detection" mode sitting on the trunk port on the switch then only, this AP will detect the Rogue on Wired
I don't think i completely understand this statement, by sitting does it mean that it is passively sniffing coming in/out on trunk link?
Considering the above steps are accurate, after this will i be able to see rogue detection behavior in syslogs? What exactly would be the messages that would produce this behavior.
View 7 Replies
View Related
Jun 27, 2011
I have recently setup Splunk to receive my syslog messages from my ASA 5510. In the past I used kiwi without observing this issue, but I needed more features than kiwi had available. Anyway, anytime I stop the splunk service my asa does not allow any outbound connections to be established.
View 2 Replies
View Related
May 9, 2013
I'm building the use case to test / detect for rogue devices on the network. I have in my enviroment Lan controller 5500 controller with AP (aironet 3500). I want to detect for rogue devices/ap connected to my network. I know before i can see this activity on the network i have to configure the controller / ap to detect this behavior.
Authorize AP's against AAA function to make sure that all the AP's registering to your WLC are authorized AP's of the network.By enabling this feature, only those AP's whose mac-addresses are present in the authorization list, will be able to register to the WLC. url...
Using Rogue detection. feature, the WLC will be able to detect any AP that is not a part of its RF group and contain it. url...the forum I have seen other talks about the same issue and saying that if I have any APs in "Rogue Detection" mode sitting on the trunk port on the switch then only, this AP will detect the Rogue on Wired.
View 2 Replies
View Related
Feb 16, 2011
My web server sits behind an ASA 5500.When I access the web site from outside, it works fine. When I try and access it from the server itself, I get"Internet Explorer cannot display the webpage" error. I can access other web sites, such as Yahoo.com, Google.com, etc. I have rules setup to restrict/enable incoming traffic, but I don't have any rules setup to "loop back".
View 18 Replies
View Related
Aug 11, 2011
I'm looking fot a way to do static URL blocking with ASA and when the URL is blocked present a "Web Page" to the user saying that it's been blocked.
So, i was wondering if i can use the http parameter "spoof server string" to replace the original URL sent by the user for another URL that points to an internal web server holding a basic page saying "Your URL request has been blocked".
The point is to have a way to tell users that the page they are trying to browse is blocked by a policy.
View 1 Replies
View Related
Apr 18, 2012
We are going to impliment Spectrum (CA) in my network,i have ASA-5580-20 firewall now my spectrum server want to communicate with firewall,then only it will discover the firewall logs.Now the problem is my spectrum server is in MZ zone(10.10.10.45) security leval is 70 and my inside interface(10.20.20.101) security leval is 100.
I am unable to ping from spectrum server to firewall because of high security leval.How can i solve this problem,can i change my inside security leval to 69 then i think it will ping.
View 1 Replies
View Related
Oct 30, 2011
i check ASR 1006 config with ESP-40, the firewall permonce can reach 40G, ASA 5580 is 20G, can ASR 1006 replace ASA 5580, is there any function feature problem?
View 1 Replies
View Related
Dec 11, 2011
I'm using an ASA version 8.4.2 and a Radius Server.
Is-it possible to configure ASA for sending the name of the connection profile to the Radius Server ?
By default, the radius server doesn't receive this information.
View 1 Replies
View Related
Jul 26, 2011
I have a WCS working on version 7.0.172.0.Is there a way to send the alarms produced by WCS to another Syslog Server?
View 4 Replies
View Related
Mar 4, 2012
I am trying to setup syslog server on LMS 4.0.Everything seems to be working fine but I have a lot of stragne logs in my syslog.log file.Every single day I receive logs like :
Mar 05 09:31:03 127.0.0.1 100: <30> dmgt[1136]: 3007(I):Started application(1015) "e:CSCOpxincwjava.exe -cw:jre lib/jre -cp e:CSCOpxMDC omcatsharedlibMICE.jar;e:CSCOpxMDC omcatsharedlibNATIVE.jar;e:CSCOpxMDC omcatsharedlibjdom.jar;e:CSCOpxMDC omcatsharedlibxalan.jar;e:CSCOpxMDC omcatsharedlibxerces.jar;e:CSCOpxMDC omcatcommonlibservlet.jar;e:CSCOpxMDC omcatsharedlibcastor-0.9.5.jar;e:CSCOpxMDC omcatsharedlibcastor-0.9.5-xml.jar;e:CSCOpxlibclasspath;e:CSCOpxwwwclasspath;wwwclasspathvbjorb.jar;MDC omcatwebappsupmWEB-INFclasses;libjrelibendorsedjacorb.jar;MDC omcatwebappsupmWEB-INFlibctm.jar;MDC omcatwebappsupmWEB-INFliblog4j.jar;MDC omcatwebappsupmWEB-INFlibjep-3.2.0.jar;MDC omcatwebappsupmWEB-
[code]....
I dont want to get any logs from 127.0.0.1. Is it possible to filter out logs from server ?
View 3 Replies
View Related
Oct 15, 2011
accessing my cisco ASA, last night we were doing VA on our ASA, after that iam not able to access it through ssh nor telnet. its not giving me any error.. i tried from different system also. SSH & telnet allowed from inside to 0.0.0.0 i have re-generated rsa keys when it was working. ASA version is 8.2 now when i connect telent is giving me blank prompt. i can login using ASDM.
View 5 Replies
View Related
May 16, 2012
I would like to know whether LMS 4.1 (local server mode) has the ability to relay syslog messages received from devices to an external syslog server? If so, how do I configure such?
From reading the document and going through the LMS 4.1 GUI, it appears that it could receive and forward messages but only between LMS system (ie. multi server mode) as SSL is required.
View 1 Replies
View Related
Feb 12, 2012
I want to forward syslog messages that I receive in my Cisco Works server to another server,what is the best way to accomplish this. I'm running LMS3.2 on Solaris 10.
View 3 Replies
View Related
Sep 27, 2011
I got a problem with a cisco asa 5580 like two days ago and the device stop working (there was a mainteinance window and after that the device didn't work). Now we receive the RMA and we are trying to configure the failover so the new device get the configuration form the one that is working.
But this is the message that I gettin:
Failover message decryption failure. Please make sure both units have the same failover shared key and crypto license or system is not out of memory
We already changed the shared key and crypto license but the failover is still down, what are the features that the cisco need to activate to enable the failover?
View 5 Replies
View Related
Feb 11, 2012
I am receiving allot of Errors "%ASA-4-405001: received ARP collision from IP/MAC on interface dmz1 with existing ARP Entry IP/MAC
When i checked this MAC address in the same firewall it shows too many IP Addresses. What could be the reason ?
View 0 Replies
View Related
May 23, 2012
We are using Cisco ASA 5580 (8.2) firewall. When i try to ping from inside lan to firewall DMZ interface IP it is not pingable and but from inside users i am able to ping firewall inside interface IP address.
I think we can't ping to other interfaces of ASA by default. But can we allow the single IP address who can ping all the interfaces of firewall?
We are not doing any natting in firewall, for that we used the Load Balancer.
View 7 Replies
View Related
May 16, 2011
A customer's ASA is presenting the System LED flashing red.I have already analysed the show tech-support and show environment output: Found nothing, everythink seems OK.Cisco ASA 5580-20 - 8.2.1.Single appliance, no failover, multiple context and transparent mode.
View 5 Replies
View Related
Aug 19, 2012
we are going to upgrade our 5580 ASA Cluster from 7.2 to 8.2 and want to do it like this way ( which worked for all 7.x upgrades ) :download asa8.2 Image to primary + secondary Firewallreboot primary ( message come up " mate version ...)reboot secondary.Does it works any experience? Does it work if both firewall can see each other during the boot process ?
Do I have to bring the secondary into the monitor mode so the fw is not visible for the primary ?
View 2 Replies
View Related
Mar 29, 2011
I want to ask that does ASA 5580 support the nat-pt for IPv6?
View 2 Replies
View Related
Mar 5, 2011
i'm new with the asa's...i'm familiar with the FWSM's on 6500's and pix..I'm running Version 8.3(2) and i wanted to setup nat-control and use of identify nats for advertising inside subnets to my outside networks.
the old command was static(inside,outside) 10.x.x.x 10.x.x.x netmask 255.255.255.x i'm having a little difficulty decyphering the pdf about the static nat...the command itself is no longer used, nat-control is no longer used, but i'm not quite sure what the equivalent nat command is that equates to the old static inside,outside command.
View 8 Replies
View Related
Apr 8, 2012
In my ASA 5580-20 system LED is flashing RED how can i trobleshoot this.
I checked rarepanel everything is ok also i saw environment also showing ok
View 1 Replies
View Related
Mar 9, 2013
I'm having an issue with the syslog.
My configuration is:
LAN A (RV042)<-> GW to GW tunnel <-> (RV082) LAN B
On LAN A, I got a NAS with a syslog server. On the RV042, I've set the parameters for the syslog server, and it's working fine. On the RV082, I've set the same parameters and noting is happening.
As troubleshooting, I've done the following:
-On the RV082, I can ping the NAS without problems.
-On the RV082, I've set my computer IP adress as syslog server IP and with packet analyser, I not seing any UDP packets.
View 6 Replies
View Related
Jan 16, 2013
Is there an .ISO file for installing on Windows Server20888SR2 ?
View 1 Replies
View Related
Mar 19, 2013
I got a new Cisco 3845 under my adminsitration. For some special events I do automated actions (e-mail's) from Cisco Works 2000.
One is if power supply fails. Problem now is, tha a ps fail message will be repeated every 20 seconds to syslog server - but local log on router only once.
View 1 Replies
View Related
Feb 7, 2011
I have a WAP4410N access Point, firmware 2.0.1.0. I have configured a Kiwi syslog server to get the log from the WAP4410N, but the log information obtained is just the "standard event log" and not the detailed log (every connection source and destination IP address,IP server,and number of bytes transferred) , according to the manual of the access point.what I have to do? firmware update? another syslog server?
View 1 Replies
View Related
Dec 25, 2012
How to set up logging of commands on syslog server ? (cisco nexus 7010)
View 2 Replies
View Related