Wednesday, January 24, 2018

Troubleshooting a Cisco ASA5525 & an ACL for syslog traffic.

OK so this is a weird one.

I have an ASA5525 with two interfaces (LAN & WAN). I have an ACL from the LAN to the WAN to pass syslog traffic on udp/514.

On the LAN side I have a vRealize Log Insight VM as the source of the syslog traffic which is correctly configured to send syslog traffic to a server on the WAN via the ASA over udp/514.

In the logs on the ASA I do NOT see any syslog traffic from vRealize (& yes it is sending traffic) however if I hit the test button in vRealize I see test traffic in the ASA logs and the test traffic passes through the ACL correctly.

If that wasn't odd enough... if I change vRealize to send syslog on udp/1234 I see tons of syslog traffic at the ASA being blocked by the ACL rule for udp/514... nothing wrong there working as expected... so if I now change the ACL to allow udp/1234 the traffic immediately stops and nothing is seen in the ASA logs!!! weird huh... if I now send a test from vRealize on udp/1234 I see it in the ASA logs as the ACL passes the test traffic...!!!!

You may need to re-read that to understand my problem... so anyone EVER seen anything like this behavior??

tldr: when I align my ASA ACL syslog (LAN to WAN) rule with the incoming syslog LAN traffic the ASA logs report no traffic seen.... however if I misalign the port (between the traffic and the ACL) I see traffic in the ASA logs albeit blocked by the misaligned ACL???



No comments:

Post a Comment