Home > Cisco Asa > Cisco Asa Syslog Configuration

Cisco Asa Syslog Configuration

Contents

Lock held by lock_owner_name %ASA-1-105031: Failover LAN interface is up %ASA-1-105032: LAN Failover interface is down %ASA-1-105034: Receive a LAN_FAILOVER_UP message from peer. %ASA-1-105035: Receive a LAN failover interface down msg For more information on the use of thelogandlog-inputkeywords, refer to the white paperUnderstanding Access Control List Logging. Any time a connection is reset, when the host at the end of the connection sends a packet after the security appliance receives the reset, this message will appear. The valid range for message IDs is between 100000 and 999999. have a peek here

Explanation The response from the AAA server could not be validated. For example, a TCP packet arrived for which no connection state exists in the ASA, and it was dropped. For a Type-5 LSA, it may be a duplicate router ID on the router reporting this error message and on the routers connected to a different area. License server is not responding %ASA-2-444105: Released value shared licensetype license(s).

Cisco Asa Syslog Configuration

If the message occurs at regular intervals, contact the remote peer administrator. 106011 Error Message %PIX|ASA-3-106011: Deny inbound (No xlate) string Explanation The message will appear under normal traffic conditions if Recommended Action None required. 109026 Error Message %PIX|ASA-3-109026: [aaa protocol] Invalid reply digest received; shared server key may be mismatched. Explanation The MTU of an SA was changed. Recommended Action Find the originating router of the LSA with the bad mask, then correct any misconfiguration of this LSA's network.

Recommended Action Access lists, AAA, ICMP, SSH, Telnet, and other rule types are stored and compiled as access list rule types. Explanation Both instances are failover messages. This is due to standard sockets behavior. Asa-6-106100 Explanation Failover mode is enabled, but the failover cable is not connected to one unit of the failover pair.

Recommended Action None required. 105003 Error Message %ASA-1-105003: (Primary) Monitoring on interface interface_name waiting Explanation The ASA is testing the specified network interface with the other unit of the failover pair. This is a transient message and the ASA should recover. First administrators will use the commandshow logging | grepaccess list nameto identify the source IP address that may be needed for further investigation. http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logsevp.html Recommended Action Make sure that the data is sent correctly. 602103 Error Message %ASA-6-602103: IPSEC: Received an ICMP Destination Unreachable from src_addr with suggested PMTU of rcvd_mtu; PMTU updated for SA

Choose All from the Event Class drop-down list. Cisco Asa Log Format Explanation Failover initially verifies that the number of interfaces configured on the primary and secondary ASAs are the same. Recommended Action None required. 109013 Error Message %ASA-3-109013: User must authenticate before using this service Explanation The user must be authenticated before using the service. These messages are logged when failover mode is enabled, but the failover cable is not connected to one unit of the failover pair. (Primary) can also be listed as (Secondary) for

Cisco Asa Syslog Levels

Make sure that the secondary ASA is running the ASA application and that failover is enabled. 105040 Error Message %ASA-1-105040: (Primary) Mate failover version is not compatible. http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html The inbound packet is discarded because it cannot specify which PAT host should receive the packet. Cisco Asa Syslog Configuration mpc_description with ips_description is not supported. %ASA-1-413008: There was a backplane PCI communications failure with module module_description_string in slot slot_num %ASA-1-505011: Module ips data channel communication is UP. %ASA-1-505014: Module module_id, Asa-6-302014 IP_address —The server IP address to which the ASA sends authentication requests.

In order to configure the site-to-site IPsec VPN configuration, refer to PIX/ASA 7.x and above: PIX-to-PIX VPN Tunnel Configuration Example. navigate here Primary can also be listed as Secondary for the secondary unit. 104004 Error Message %ASA-1-104004: (Primary) Switching to OK. Recommended Action Maintain consistent software versions between the primary and secondary security appliances to enable failover. 105042 Error Message %PIX|ASA-1-105042: (Primary) Failover interface OK Explanation LAN failover interface link is up. Recommended Action None required. 105001 Error Message %PIX|ASA-1-105001: (Primary) Disabling failover. Asa-4-113019

Recommended Action Replace the cable. 102001 Error Message %PIX|ASA-1-102001: (Primary) Power failure/System reload other side. The console now collects the ca class message with severity level Emergencies as shown on the Logging Filters window. This message might be generated as a result of a DoS attack. http://buzzmeup.net/cisco-asa/asa-ssm-20-configuration-guide.html Cisco Support Community Directory Network Infrastructure WAN, Routing and Switching LAN, Switching and Routing Network Management Remote Access Optical Networking Getting Started with LANs IPv6 Integration and Transition EEM Scripting Other

Check for misconfigured clients. 106017 Error Message %ASA-2-106017: Deny IP due to Land Attack from IP_address to IP_address Explanation The ASA received a packet with the IP source address equal to Asa-4-106023 If the identity information or FQDN is available, the ASA logs this information for both the source and destination. The ASA does not support DNS, and therefore does not support hostnames for servers, unless you manually map a name to an IP address using the name command.

Recommended Action Check to see if the authentication server is too slow to respond to authentication requests.

The connection_type is one of the following strings: SIGNALLING UDP SIGNALLING TCP SUBSCRIBE UDP SUBSCRIBE TCP Via UDP Route RTP RTCP Recommended Action None required. 608002 Error Message %ASA-4-608002: Dropping Skinny This message is displayed if the security appliance is configured for AAA and detects an authentication request by the specified user. Table 12 New, Changed, and Deprecated Syslog Messages for Version 9.1(3) New Syslog Messages None Changed Syslog Messages (Documentation) 106100, 715080, 746001-746019, 747021 Changed Syslog Messages (Code) 747021 Deprecated Syslog Messages Asa-6-302016 This completes the ASDM configurations with the use of a message list as shown in Example 2.

Because many organizations do not make extensive use of logging on routers and because router logging is somewhat limited,NetFlowis often a more effective means of analysis. Table 5 New, Changed, and Deprecated Syslog Messages for Version 8.4.(6) New Syslog Messages 716600-716603 Changed Syslog Messages (Documentation) 302014 Changed Syslog Messages (Code) None Deprecated Syslog Messages None Table 6 For complete syslog message descriptions, see Chapter 1, “Syslog Messages.” Table 4 New, Changed, and Deprecated Syslog Messages for Version 8.4.(5) New Syslog Messages None Changed Syslog Messages (Documentation) 103004, this contact form The configured server key is probably incorrect.

User username did NOT have appropriate Admin Rights. %ASA-3-114006: Failed to get port statistics in 4GE SSM I/O card (error error_string). %ASA-3-114007: Failed to get current msr in 4GE SSM I/O Primary can also be listed as Secondary for the secondary unit. Recommended Action None required. 614001 Error Message %ASA-6-614001: Split DNS: request patched from server: IP_address to server: IP_address Explanation Split DNS is redirecting DNS queries from the original destination server to ingress_ifc—The interface on which the packet arrived.

Explanation This is a AAA message. If memory is low, then the timer wheel functionality did not initialize. The security appliance looks up a route based on the source_address. Unicast RPF, also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack

Primary can also be listed as Secondary for the secondary unit. logging class ca console emergencies ASDM Configuration This procedure shows the ASDM configurations for Example 3 with the use of the message list. Recommended Action None required. 614002 Error Message %ASA-6-614002: Split DNS: reply from server: IP_address reverse patched back to original server: IP_address Explanation Split DNS is redirecting DNS queries from the enterprise Trends Although these syslog events do not give the same information as a full sniffer log such as TCP dump, there still is some information administrators can use to learn about

Explanation The primary unit has failed. Recommended Action Restart the OSPF process. 613102 Error Message %ASA-6-613102: interface s has zero bandwidth Explanation The interface reports its bandwidth as zero. This completes the ASDM configuration for Example 3. Either the cost or database-filter option needs to be configured.

Recommended Action On the unit that experienced the reload, issue the show crashinfo command to determine if there is a traceback associated with the reload. econns nconns %ASA-3-201004: Too many UDP connections on {static|xlate} global_address! It was not possible to create a neighbor datablock for the local router. If the packet arrived on another interface, it is either a spoof or there is an asymmetric routing environment that has more than one path to a destination.

Contact Cisco TAC to investigate this type of case. 613016 Error Message %ASA-3-613016: Area string router-LSA of length number bytes plus update overhead bytes is too large to flood. Enter the name of the message list in the Name box. Explanation This is a failover message.