Cisco, Microsoft, and Linux

ACL Debugging/Monitoring on the Cisco ASA

Posted by on Dec 9th, 2010 in Cisco | 1 comment

I love debugging on Cisco platforms. When things don’t work the way we expect them to, we can construct logical arguments as to why, but ultimately, we need to test or OBSERVE the behavior of a network device.

Enter debugging. Have I mentioned that I LOVE debugging? Cisco’s debugging features exposes “how and what the ASA is thinking”. The place where I personally use the debug feature the most is with IPSEC VPNs. By debugging IPSEC, I can solve virtually any IPSEC VPN issue that rears it’s ugly head.

I’ve always wanted a way to do some kind of rudimentary ACL debugging, but I could not find any debugging facility to do this. Sure, we can turn on logging and view the log buffer from time to time, but it’s time consuming looking through the log to find your needle in the log buffer haystack. I am wanting a more precise way to view only certain syslog messages.

This week, I have been sitting a Cisco ASA class and I had a chance to group-think with some smart dudes. Together, we came up with and tested a solution. Here is a thumbnail sketch that I will detail out below.

  1. *Turn on logging
  2. *Enable time-stamps
  3. *Turn on buffered logging
  4. *Set a size for your buffered log
  5. Create a log list filter
  6. monitor the log list

*Steps 1 through 4 you should be doing anyway, so get that part set up and working. Now for the ssh debugging, you will simply add steps 5 and 6.

I will display each of the commands one-at-a-time with a short explanation.

  1. Turn on logging – Cicso ASA’s have logging turned off by default.
    logging enable
  2. Turn on time-stamps – I want a time stamp indicating when the log entry was written.
    logging timestamp
  3. Turn on buffered logging – save a copy of the recent log entries in ram at this log severity level
    logging buffered warnings
  4. Set a max size to control how much ram is used to store your buffered log entries
    logging buffer-size 65000
  5. We want to specify which log entries are pushed to the console. I am going to select entry 106023, which according to Cisco is always generated when an ACL denies a packet, EVEN if the LOG keyword is omitted from the ACL entry. I am calling my list “acl-messages” and matching message 106023. You can have more than 1 entry in your log list by simply adding additional  “logging list” lines, each with the syslog message that you would like to monitor.
    logging list acl-messages message 106023
  6. This command tells the ASA to display syslog messages that match our logging list in SSH and Telnet sessions
    logging monitor acl-messages
  7. **If you happen to be logged in to a CONSOLE port, as opposed to being ssh’d in, you will need display syslog messages that are matched by our logging list in console sessions via the logging console command.
    logging console acl-messages

When all set up, “show log” looks like this:

Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: list acl-messages, 17 messages logged
Buffer logging: level warnings, 6740 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled

You will NOT see this debugging output in an ssh session unless you issue this terminal monitor command. You MUST do this each time your connect to an SSH session when you wish to see the debugging output.

terminal monitor

To turn off terminal monitor, the command is:

terminal no monitor

For my test, I placed and ACL on the inbound side of my inside interface

Now, I generated some telnet traffic from an inside host to destination IP 9.9.9.9 and as expected,  ACL 99 blocked my traffic and a message was sent to my ssh session:

Poncho#
Dec 09 2010 19:25:57: %ASA-4-106023: Deny tcp src inside:172.26.26.111/61942 dst outside:9.9.9.9/23 by access-group “99″ [0x625ffd80, 0x0]

It’s obvious that this 106023 message was sent as a result of a deny on ACL 99. What’s less obvious is that the hex number 0x625ffd80 at the end of the syslog message will match an ACE in ACL 99.

Poncho# sh access-list 99 | i 0x625ffd80
access-list 99 line 2 extended deny ip object Inside_Network host 9.9.9.9 0x625ffd80
access-list 99 line 2 extended deny ip 172.26.26.0 255.255.255.0 host 9.9.9.9 (hitcnt=67) 0x625ffd80

So we know that this syslog message indicates that line 2 of ACL 99 caused this message to the ssh session.

Next, I got this message:

Poncho#
Dec 09 2010 19:36:51: %ASA-4-106023: Deny icmp src inside:172.26.26.111 dst outside:9.9.9.9 (type 8, code 0) by access-group “99″ [0x866f911a, 0x0]

Again, ACL 99 is blocking access and the ACE that is blocking this is 0x866f911a

Poncho# sh access-list 99 | i 0x866f911a
access-list 99 line 1 extended deny icmp object Inside_Network host 9.9.9.9 0x866f911a
access-list 99 line 1 extended deny icmp 172.26.26.0 255.255.255.0 host 9.9.9.9 (hitcnt=8) 0x866f911a

This time, it was line 1 of ACL 99 that blocked a packet.

Summary: The following is my personal config without commentary:

Poncho# sh run log
logging enable
logging timestamp
logging list acl message 106023
logging buffer-size 65000
logging monitor acl
logging buffered warnings

This control gives you the ability to turn ACL deny syslog messages printing to your console on and off “at will”.

Turn the debugging output on:

terminal monitor

Turn the debugging output off:

terminal no monitor

One more tool for ASA troubleshooting!

One Response to “ACL Debugging/Monitoring on the Cisco ASA”

  1. Ari H. says:
    April 18, 2012 at 9:38 am

    Thank you for sharing this. This helped me a lot. :)

Leave a Reply

Powered by Wordpress | Designed by Elegant Themes