Be Careful with TCP Syslog and the ASA
I wanted to take just a moment to share a little gotcha that could take you by surprise. To demonstrate, I have a simple topology with an ASA in the middle. I am inspecting ICMP so ping traffic is stateful and flows properly.
To confirm connectivity, I can ping from csr1000v-2 from csr1000v-1
csr1000v-1#ping 10.0.0.10 repeat 5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/6/16 ms
Now for the ASA change that can catch an administrator off guard
asav-1(config)#logging on asav-1(config)#logging trap informational asav-1(config)#logging host inside 1.1.1.1 tcp/1025 //clear the connection just to make sure the next connection will be new asav-1(config)#clear conn
Now the connectivity from csr1000v-1 to csr1000v-2 is broken
csr1000v-1#ping 10.0.0.10 repeat 5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
So what is wrong? Let’s take one quick look at the logging configuration.
asav-1(config)# show run logging logging enable logging trap informational logging host inside 1.1.1.1 6/1025 asav-1(config)#