Guest

Preview Tool

Cisco Bug: CSCvt55919 - ENH:ASA-improve packet-tracer output for drops related to logging permit-hostdown policy

Last Modified

Apr 20, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.10(1)

Description (partial)

Symptom:
To troubleshoot connectivity issues through the ASA we are using packet-tracer tool. Currently, if we have unreachable TCP syslog server and "logging permit-hostdown" is not enabled in configuration transit traffic will be dropped by the ASA until the syslog server becomes accessible.

However, in packet-tracer we can see that the traffic is dropping at phase 4 at default "deny ip any any" ACE in inside interface ACL:

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x2986a3c0, priority=501, domain=permit, deny=true
	hits=138212, user_data=0x7fdd6333e20, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0,  port=0, tag=any
	dst ip/id=0.0.0.0,  port=0, tag=any dscp=0x0
	input_ifc= inside, output_ifc=any

Making It extremely difficult to troubleshoot such issues that can lead to huge network outage. The aim of this enhancement request to add the following note to the packet-tracer output:

This connection is denied based on logging permit-hostdown policy. One of configured TCP syslog servers is unreachable and "logging permit-hostdown" is not enabled

Conditions:
Utilizing TCP based syslog within ASA deployment
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.