• December 16, 2017, 09:59:54 AM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: Cisco ASA firewall gotcha when using TCP syslog  (Read 155 times)

0 Members and 1 Guest are viewing this topic.

Offline Flintstone

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 950
Cisco ASA firewall gotcha when using TCP syslog
« on: November 29, 2017, 04:56:26 AM »
Hi Guys,

I'm not sure if anyone has seen this gotcha before, but it 'bit' me on the bum   :D

We were tasked to point all our Network devices to a new logging destination using TCP and on the ASA firewall if it cannot see the destination logger the ASA firewall defaults to disallowing new transit connections and if you are using TACACs to access the device you will not be allowed to configure anymore.  The work around is to make sure you have the following command already in your config 'logging permit-hostdown'.  In my situation I had two choices, block TACACs so I could logon locally to the ASA or allow the ASA to see the destination.  I chose the latter as I could see another firewall was blocking access.  Once the ASA could see the destination I could log back on and configure, adding the new command incase it happened again.

CheerZ


Offline Michael McNamara

  • Administrator
  • Hero Member
  • *****
  • Posts: 3830
    • michaelfmcnamara
    • Michael McNamara
Re: Cisco ASA firewall gotcha when using TCP syslog
« Reply #1 on: November 30, 2017, 01:13:29 PM »
Never seen that one... I'm sure that had you scratching your head for more than a few minutes.
We've been helping network engineers, system administrators and technology professionals since June 2009.
If you've found this site useful or helpful, please help me spread the word. Link to us in your blog or homepage - Thanks!

Offline Flintstone

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 950
Re: Cisco ASA firewall gotcha when using TCP syslog
« Reply #2 on: December 01, 2017, 03:54:33 AM »
Yes, I couldn't exactly work out what had happened until I started Googling what had happened and got some hits describing exactly what I was seeing. ;)

Even though I allowed access to the logger via a different firewall this initially did not fix the issue as the logger did not have a local route back, so could not make a connection over TCP  ::)

CheerZ