Cisco Switching/Routing :: 2811 Disable Audit-trail For Icmp Packets In CBAC Logging
Mar 23, 2013
I have a cisco 2811 router set up as a nat/firewall gateway for my network. I've configured it for CBAC on using ip inspect and an access list.What I want is to use audit-trail to record network traffic (which means sending syslog messages to a server) concerning established sessions from my own network to locations in the outside. If i configure this using ip inspect audit-trail and no ip inspect alert-off, the configuration looks like this: [code] which works just fine, but there is the matter of icmp packets.
Since i use polling software that needs to check some machines in the outside part of the network, it is only natural that several icmp sessions are established through the Inspection Rule per minute. The problem is that since these sessions are recorded along with everything else, my syslogs are flooded with these (since i am using logging trap informational) to the point that more messages are generated about icmp than all other traffic combined, especially in non-working hours.What I am asking is a way for the audit-trail to be selecively disabled for icmp, so that the outgoing (echo) &incoming (echo reply) sessions can be established without generating syslog messages.
I've a big problem with a loss of packets ICMP sent by different hosts in differents VLAN. Here my architecture:
Core Switch : 2 Switch's C6509 (Version 15.0 (1) SY1)- Mode VSS - One lien VSL , the other link is defective.Access Switch: C3750 , Connected to Core Switch through 2 fibre optique wires.Topology: redundant ring
When I send consecutive ping message I found always a missing of packets . Furthermore When I insert the "show ip traffic" command., the parameter "bad hop count" increase after a loss of packets. I've 2 hosts connected in my network and they send packets with TTL =127.
In the Core Switch I haven't configured the MEC because it gave me troubles with the packets multicast.
Ask this question, if someone came across a 6513, one of the RJ45 ports are constantly falling.The question is how to disable logging on a specific portno logging event link-status does not work.
I'm getting this error message on syslog server (Kiwi syslog)access-list logging rate-limited or missed XXXX packets i did the following commands but still I'm getting the error :logging buffered 16386 debugginglogging rate-limit all 5000no logging consoleno logging monitorip access-list logging interval 30000ip access-list log-update threshold 30000 i don't want to report to the console or monitor i want to report direct to syslog server, because I'm monitoring all the traffic (permit ip any any log) !
We have a PIX 515E running ver 6.3 and we want to implemente some sort of logging to keep track of who/when logs in to the PIX and if they make any config changes or to the file system. All of this is for forensic purposes in the future. I have already looked at some PIX docs but I don´t seem to find what I am lokking for.
I'm encountering what I think is an issue on logging system on FW ASA 5520 - Asa Version 8.4(2), ASDM version 6.4(5). When I disabled the logging inside a rule from ASDM, or from console with the "log disable" option inside ACL, If I check in ASDM logging real time window I continue to see all the entry related to disabled rules. This is a correct behaviour about ASA logging ? How I can "hide" the entry related to disabled rules (this is what I need for troubleshooting purposes) ?
At this moment we have a Linksys x3000 configured as modem on a ADSL connection (PPPoA)From our monitoring server we send ICMP packets to see if the connection is alive (or not).The problem is when we disable the ipV4 SP1 firewall and do not tick the: "Filter Anonymous Internet Requests" , we still receive connection timeout's from outside hosts. Is this a bug? And if not; how can we enable ping from outside networks?We really want to enable ping because of the monitoring software.The firmware is the latest version: 1.0.0.1
UPnP renew entry 255.255.255.255 <-> 68.98.71.182:61041 <-> 192.168.0.197:61041 UDP timeout:-1 'Teredo' (this one repeated 13 times just in that 1 info slot)
Blocked outgoing ICMP packet (ICMP type 3) from 192.168.0.197 to 109.185.100.195
Blocked incoming TCP packet from 108.170.42.83:80 to 68.98.71.182:36792 as SYN:ACK received but there is no active connection
this goes on for a multiple of different ip's and i believe its due to the fact that the game i play is p2p
QoS is off spi is off udp and tcp endpoint independent firmware version 1.21 i am using wireless cable isp using motorola sb5101 i believe i port forwarded the ports used for the game but that didnt work so i put my computer into dmz. I've also noticed a lot more jitter then i used to have and my upload speed is down about 4mbps. Was thinking it might just be outdated firmware?
Attached is our network diagram showing the details of our remote office and the corporate side which are connected via private fiber. The workstation (10.10.102.84) can ping the 10.20.0.31 IP address of the PBX but not the .30 address and I know if we can’t ping it we can’t remotely manage it. The 2811 router, ASA 5510 and the 6509-E can ping both IP addresses on the PBX. The ASA logs the error "Denied ICMP type=0, from laddr 10.20.0.30 on interface inside to 10.10.102.84: no matching session" when the workstation pings the .30 address.
We changed the default gateway of the PBX from 10.20.0.2 to 10.20.0.1 (2811 router) and we were able to ping both IP addresses from the workstation but the SIP trunks from the Internet stopped working (they NAT to the .30 address). Because calls may be forwarded from the PBX to the corporate network (via IP phones) we will eventually need to change the default gateway to10.20.0.1 and still need the Internet SIP trunks.
My two questions are, how do we resolve the issue of pinging the .30 address from the workstation and then when the time comes how do we resolve the issue with the SIP traffic reaching the .30 address when we change the default GW of the PBX to the 10.20.0.1 address of the 2811 router.
I am looking for the way how to disagle logging of one user. We are using one testing user for checking accesibility of ACS from large number of switches - this checking exhausting logs quite quickly. Is it possible to disable logging of such user?
My syslog is full of %ASA-4-106023: Deny tcp src outside:---- by access-group "inbound-acl" messages. I did not configure an explict deny for the access list to log these denies.how I can disable logging of denied connections?
I'd like to know if there's a command I can run to turn off paging on my SF302 switch. So for example, when I run the "show logging" command on the CLI, I'd like to it return all the results instead of prompting me to hit space bar or enter.
Both regular IP traffic and ICMP traffic are passing through the source port. C6509 provides the option of filtering vlan traffic during monitoring. But I don't have vlan traffic.
I need to create a VPN and have split tunneling disabled, so that all traffic including internet traffic goes over the vpn back to the headquators and out that internet pipe or to the network. I will be using the Cisco VPN client software and connecting to a 2811 router running IOS ver 12.3(8r)T7. I am pretty new when it comes to these configurations
I ran autosecure on my 1841 routere and now I cant do ping or traceroutes. What should I do to enable the pings and traceroutes after auto secure is done.
I am looking for a way to see packets that are matched on certain ACLs in a CoPP policy map. I have read that it is not a good thing to add the log keyword at the end of an ACL when using that ACL for CoPP. I initially tried to use a logging policy map but the 6500 12.2sx doesn't support this.
how I can see source/destination IP for a certain class in a CoPP policy map?
I am looking for soem best-practice and useful logging commands on 6500 and 3750 platforms. Some of them I have listed below. Is there any important ones I am missing Also, I need to know what kind of recommended logging level is for buffer and what is loggign level for syslog server?
As part of troubleshooting a seperate issue, somebody on my 891 router had set logging trap debugging which shows as a line in sh run just above the access-lists. There is no syslog server however so I'd like to remove this entry, however when I do no logging trap debugging I end up with a no logging trap entry replacing the previous logging trap debugging entry. Is there away to be rid of this entry? I tried no no logging trap but of course that's an invalid command.
We recently replaced our core switch from a non-cisco vendor with a Nexus 7010. With our old core switch, I had the ability to log changes to the ARP table. So if there was a dhcp conflict or a vMotion event, it would show up in the "show log" output. I've not found a way to do that with the Nexus switch - or at least no way to view the log. I have the command: logging level arp 6
I am experiencing inconsistent echo-replay from devices connected via VPC to Nexus 5500s while pinging from the Nexus exec prompt.
In some cases I receive normal response when pinging from one Nexus, but no response when pinging from the other switch. In other instance I receive normal response to one Nexus, and duplicate replays to the other. It looks like a VPC related bug. NXOS is 5.1.3.N2.1
5501# ping 10.12.12.232 PING 10.12.12.232 (10.12.12.232): 56 data bytes 64 bytes from 10.12.12.232: icmp_seq=0 ttl=253 time=8.585 ms 64 bytes from 10.12.12.232: icmp_seq=0 ttl=254 time=9.227 ms (DUP!) 64 bytes from 10.12.12.232: icmp_seq=1 ttl=253 time=1.011 ms 64 bytes from 10.12.12.232: icmp_seq=2 ttl=253 time=8.097 ms 64 bytes from 10.12.12.232: icmp_seq=2 ttl=254 time=9.429 ms (DUP!) 64 bytes from 10.12.12.232: icmp_seq=3 ttl=253 time=18.195 ms 64 bytes from 10.12.12.232: icmp_seq=4 ttl=253 time=8.807 ms(code)
I am in the process of installing a 3750x (IOS 12.2 (53r) SE2 IP Base) Cisco Catalyst switch in a new network of just 2 PC's (2 hosts, OS windows7 64Bits). I have enabled SVI interfaces with the both hosts installed in 2 different network segments. We then start connectivity test. The response time for the PING command between both hosts remain below 1 millisecond, whereas the response time between the hosts and their correspondent SVI interface is variable, and at all time is higher than 1 millisecond, sometimes it reaches 17 milliseconds. (Note that the switch CPU usage is only 8% at the time of testing) We have performed this same connectivity test changing the 3750x switches and in two different locations obtaining the same results.
I had setup a lan infrastructure with 5 3750 stack swithes. In these 3 of them are in one stack which is acting as access switch, 2 of them in another stack which is as core switch where all the SVI is configured. Now, when i tried to ping from our edge pc which is connected in access switch to default gaeway, which is configured in core switch, the ICMP is getting delayed . But when try to ping from the same edge pc to another user PC, it is getting less tahn 1 millisecond icmp replies.
why icmp is delaying to default gateway , but working with another edge to edge pcs without any delays?
Need to clarify if ip sla icmp echo operation is supported in catalyst 3kx switches (ip services)? on the configuration guide, commands are available, but on the feature navigator, i can't find the feature, only ip sla video operation. i don't have a device to test on here.
Today one of our 9 Cisco switches a "WS-C2950S" (we also got 2 other WS-C2950S on same network) stop responding icmp ping packages. When i tried to telnet the switch its network was unreachable but i was able to see its existance from other switches by "sh cdp neig". So i decided to fix the situation on a suitable night time work, checking by console cable or even rebooting the device.
Then i started to wonder... what this could possibly be about?We have like 40 clients behind that switch and there was no communication problem during the problem.
i am facing a problem when the client vlan is commmunicating with the default gateway on the core 3750-x.
ios in 3750-x core is 3750e-universalk9-mz.150-2.SE.bin. But, client to client communication is happening without any dealy and icmp is less than 1 ms always.
When try to ping default gateway of client vlan, it is getting delayed (variable icmp delays). Is this an ios bug?
i can't configure "logging event spanning-tree" on a specific port under IOS 12.2.(58) SE2 (all other "logging events" are possible), under 12.2 (55) it is possible. Is it now a known bug or a default value?
I have been getting the logs in my cisco 6513 switch [code] On further investigating in the module 9 which has a DFC card also , we found the source of this error whether it is a source of any upcoming potential impact or can be simply ignored
