ciscoasa(config)# logging ?
configure mode commands/options:
asdm Set logging level or list for ASDM
asdm-buffer-size Specify ASDM logging buffer size
buffer-size Specify logging memory buffer size
buffered Set buffer logging level or list
class Specify logging event class
console Set console logging level or list
debug-trace Enable logging of redirect debug-trace output to
syslog
device-id Specify the device-id to be included in all
non-EMBLEM formatted syslog messages
emblem Enable logging Emblem format on all output
supported destinations
enable Enable logging to all output supported destinations
facility Specify the syslog facility, the default is 20
flash-bufferwrap Save logging buffer to flash when buffer
wrap-around
flash-maximum-allocation Specify logging maximum flash space allocation
flash-minimum-free Specify logging minimum flash free space threshold
flow-export-syslogs Enable/Disable syslogs whose information is
captured by NetFlow
from-address Specify the from address for the mail logging
ftp-bufferwrap Save logging buffer using FTP when buffer
wrap-around
ftp-server Specify FTP server parameters
history Set the SNMP message level or list for sending
syslog traps
host Send syslog messages to a host
list Specify logging event list
mail Set mail logging level or list
message Specify a message to be allowed
monitor Specify that syslog messages appear on Telnet
sessions to the Firewall console
permit-hostdown Allow new connection even if TCP syslog server is
down
queue Specify queue size for storing syslog messages,
default is 512, 0 means unlimited (subject to
available memory)
rate-limit Specify logging rate-limit parameters
recipient-address Specify the mail logging recipient address and
level
standby Enable logging on standby unit with failover
enabled, warning: this option causes twice as much
traffic on the syslog server
timestamp Enable logging timestamp on syslog messages
trap Set logging level or list for syslog server
exec mode commands/options:
savelog Save logging buffer to flash
ciscoasa(config)# logging enable
ciscoasa(config)# logging buffered ?
configure mode commands/options:
<0-7> Enter syslog level (0 - 7)
WORD Specify the name of logging list
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
informational Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
warnings Warning conditions (severity=4)
ciscoasa(config)# logging buffered debugging
ciscoasa(config)#
%ASA-5-111008: User 'enable_15' executed the 'logging buffered debugging' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'logging buffered debugging'
ciscoasa(config)# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 2 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
If you wish to log all messages from all severity levels, it is strongly recommended that you do so to the internal buffer, and never to the console. In fact, it is generally recommended to leave console logging disabled.
The Cisco ASDM also contains a powerful event viewer that you can use to display a real-time messages from the ASA. This event viewer is particularly useful when you are troubleshooting ASA software and configuration issues, or when you are monitoring real-time activity over the ASA.
You enable logging to the internal ASDM event viewer by configuring the ASDM logging destination and specifying a logging filter, in the same manner as for other logging destinations.
ciscoasa(config)# logging asdm ?
configure mode commands/options:
<0-7> Enter syslog level (0 - 7)
WORD Specify the name of logging list
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
informational Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
warnings Warning conditions (severity=4)
ciscoasa(config)# logging asdm informational
If the syslog messages don't pinpoint the issue, consider debugging management protocols on the ASA, such as the following:
* debug ssh: Debugs the SSH daemons to determine low-level protocol failures, such as algorithm or version incompatibility.
* debug http: Debugs HTTP exchanges to determine problems with the ASDM image.
* debug snmp: Debugs SNMP exchanges to help determine problems with SNMP authentication and OIDs.
ciscoasa# debug ssh ?
<1-255> Specify an optional debug level (default is 1)
<cr>
ciscoasa# debug ssh
debug ssh enabled at level 1
%ASA-5-111008: User 'enable_15' executed the 'debug ssh' command.
ciscoasa#
%ASA-6-302013: Built inbound TCP connection 1304 for management:10.1.1.10/3919 (10.1.1.10/3919) to identity:10.1.1.1/22 (10.1.1.1/22)
%ASA-3-315004: Fail to establish SSH session because RSA host key retrieval failed.
%ASA-6-315011: SSH session from 10.1.1.10 on interface management for user "" disconnected by SSH server, reason: "Internal error" (0x00)
Device ssh opened successfully.
SSH0: SSH client: IP = '10.1.1.10' interface # = 2
SSH: unable to retrieve default host public key. Please create a defauth RSA key pair before using SSH
SSH0: Session disconnected by SSH server - error 0x00 "Internal error"
%ASA-6-302014: Teardown TCP connection 1304 for management:10.1.1.10/3919 to identity:10.1.1.1/22 duration 0:00:00 bytes 0 TCP FINs
ciscoasa# debug http
debug http enabled at level 1.
ciscoasa# %ASA-5-111008: User 'enable_15' executed the 'debug http' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'debug http'
ciscoasa#
%ASA-3-710003: TCP access denied by ACL from 10.1.1.10/3966 to management:10.1.1.1/443
%ASA-7-710005: TCP request discarded from 10.1.1.10/3966 to management:10.1.1.1/443
%ASA-3-710003: TCP access denied by ACL from 10.1.1.10/3966 to management:10.1.1.1/443
%ASA-7-710005: TCP request discarded from 10.1.1.10/3966 to management:10.1.1.1/443
Finally, you can also troubleshoot possible issues between an ASA and a remote AAA server by using the debug tacacs or debug radius commands. You can specify conditional debugging (such as limiting to a single username) to avoid excessive output and performance issues.
ciscoasa# debug aaa ?
accounting
authentication
authorization
common
internal
shim
<cr>
ciscoasa# debug aaa authentication
debug aaa authentication enabled at level 1
ciscoasa# %ASA-5-111008: User 'enable_15' executed the 'debug aaa authentication' command.
ciscoasa# exit
Logoff
Username: %ASA-5-611103: User logged out: Uname: enable_15
Username: cisco
Password: *****
%ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = cisco
%ASA-6-611102: User authentication failed: Uname: cisco
%ASA-6-605004: Login denied from serial to console for user "cisco"
Username: John
Password: *****
%ASA-6-113012: AAA user authentication Successful : local database : user = John
%ASA-6-113008: AAA transaction status ACCEPT : user = John
Type help or '?' for a list of available commands.
%ASA-6-611101: User authentication succeeded: Uname: John
%ASA-6-605005: Login permitted from serial to console for user "John"
ciscoasa> enable
Password:
ciscoasa# %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15
No comments:
Post a Comment