OK so this is a weird one.
I have an ASA5525 with two interfaces (LAN & WAN). I have an ACL from the LAN to the WAN to pass syslog traffic on udp/514.
On the LAN side I have a vRealize Log Insight VM as the source of the syslog traffic which is correctly configured to send syslog traffic to a server on the WAN via the ASA over udp/514.
In the logs on the ASA I do NOT see any syslog traffic from vRealize (& yes it is sending traffic) however if I hit the test button in vRealize I see test traffic in the ASA logs and the test traffic passes through the ACL correctly.
If that wasn't odd enough... if I change vRealize to send syslog on udp/1234 I see tons of syslog traffic at the ASA being blocked by the ACL rule for udp/514... nothing wrong there working as expected... so if I now change the ACL to allow udp/1234 the traffic immediately stops and nothing is seen in the ASA logs!!! weird huh... if I now send a test from vRealize on udp/1234 I see it in the ASA logs as the ACL passes the test traffic...!!!!
You may need to re-read that to understand my problem... so anyone EVER seen anything like this behavior??
tldr: when I align my ASA ACL syslog (LAN to WAN) rule with the incoming syslog LAN traffic the ASA logs report no traffic seen.... however if I misalign the port (between the traffic and the ACL) I see traffic in the ASA logs albeit blocked by the misaligned ACL???
No comments:
Post a Comment