Find source(s) of dropped packages in Cisco ASA GUI

Question

we are using pair of ASA 5520 Firewalls with ASDM 6.4.

Can someone enlighten me, how to find out which is(are) the source or target ip(s) when we got a hugh bunch of dropped packages come in (by ASDM or CLI)?

As of today, we had >100.000 dropped packages at a time for about 10 minutes. Obviously a try to interrupt our connection. What I want to achieve is to see in that moments which is the specific source (if it's just one) or the specific target when such attack starts.

The ASDM did not show something special in the Firewall Dashboard execpt the big 'Dropped Packets Rate'. In 'Monitoring' 'Log Buffer' nothing is shown up for that time range.

Any help is really welcome!

Jimmy

Answer 1

Introduction

First of all, please read documentation on logging on ASA, for example:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_syslog.html#wp1082858

ASA has logging levels, and a lot of capabilities for log reporting. The most relevant for you are probably ASDM, console and syslog (I would like to mention SNMP and NetFlow as well, since they are often used for monitoring).

http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logsevp.html

ASDM and console show only current logs. You have no good options to see what has happened before you started ASDM or executed "show logging" command. In console, there is a buffer for history, which is 4 Kb per default. For ASDM default buffer (history size) is 100 messages. Both are like nothing if you have 100 000 events.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/l2.html#wp1770150

So, to see current messages is ASDM, you could just enable logging level you need (e.g., start with severity level 4 and increase it if you do not see messages you need). If you have ASA 5520, I could assume, that you will get tons of logs if you enable level 7. After this, you should be able to see scrolling (almost at a speed of light;) logs right in the main window of ASDM.

Of course, to see old messages, you could increase the buffer size. However, I do not recommend to do it, since it will use resources of ASA. Instead, the right way would be to configure logging to remote syslog server, where you could later analyse them.

Logging to rsyslog

To configure it, prepare a Linux machine with rsyslog (in my experience, normal syslog crashed the whole Debian 6 server, when I tried to send logs from ASA to it, so I have used Ubuntu with rsyslog; syslog-ng may also work):

1.Prepare folder:

mkdir /home/asa
mkdir /home/asa/log
touch /home/asa/log/asa.log
chown -R root:adm /home/asa/log/asa.log #optional; check permissions in /var/log to have an notion

2.Configure logrotate:

touch /etc/logrotate.d/asa

content:

/home/asa/log/asa.log {
daily
rotate 365
missingok
compress
create 640 root adm
}

3.Enable remote logging: uncomment the following lines in /etc/rsyslog.d:

$ModLoad imudp
$UDPServerRun 514

4.Configure logging (/etc/rsyslog.d/50-default):

local1.* /home/asa/log/asa.log

5.Add local1.none for /var/log/syslog (line 11 of the 50-default) and /var/log/messages (line 42 of 50-default) to avoid writing messages from ASA there:

*.*;auth,authpriv.none,local1.none              -/var/log/syslog
*.=info;*.=notice;*.=warn;\
    auth,authpriv.none;\
    cron,daemon.none;\
    mail,news.none,local1.none              -/var/log/messages

6.Rsyslog will now listen to local1 (facility17). ASA should be configured to send messages to facility17 (DO NOT FORGET TO BACKUP THE PREVIOUS CONFIGURATION):

(config)# logging host inside x.x.x.x
(config)# logging trap 6
(config)# logging permit-hostdown !!! THIS IS VERY IMPORTANT !!! Allow ASA to continue working without blocking connections when logging server is down
(config)# logging facility 17 # local1 facility for syslog
(config)# logging enable

Now you have all your logs (including info about dropped connections) on syslog server. You could analyse and correlate them as you want. E.g., apply third-party solutions or just manually select unique target addresses in console.

SNMP / Netflow

Please see my other answer: https://serverfault.com/a/487024/118677

I had quite a nice experience with ManageEngine NetFlow Analyzer (at that time it allowed to monitor one interface for free). To configure it, you need (in short):

1. Configure SNMP trap on ASA

2. Configure SNMP in ManageEngine NetFlow Analyzer

3. "UnManage" last interface (IfIndex65535) under "LicenseManagement"

4. Update SNMP in ManageEngine NetFlow Analyzer

See also: Can I use Cisco ASA's "NetFlow Security Event Logging" (NetFlow 9) for bandwidth monitoring

Other options

Basically, using syslog and SNMP capabilities, you could apply any third-party tool for monitoring and analysis, e.g. Splunk, LogStash, GreyLog, etc.

You could also automate controlling the state (memory, CPU load, dropped packets) of your ASA using Nagios/OpsView/Munin etc.

Threat detection

If you want to detect attacks, ASA has also a threat-detection built-in:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_threat.html

However, I would not rely on this functionality too much. Especially, I had a bad experience with blocking detected threats (aka 'shun') on my 5505, it just goes crazy and starts blocking normal connections. Detection and statistics without blocking are safe.

Just update your firmware regularly and analyse the logs.