Cisco ASA No Debug Output?

KB ID 0001477

Problem

I see this get asked in forums A LOT, typically the poster has another problem they are trying to fix, someone has asked them to debug the problem and they cant see any debug output.

No Debug Output

Solution

Firstly you need to understand what logging is, and how debugging fits within it. (Bear with me, this is good knowledge to have).

The firewall saves logs in syslog format, and there are 8 Levels of logs, the one with the MOST information is called ‘debugging’ (or severity 7 in Syslog world)

  • 0=Emergencies
  • 1=Alert
  • 2=Critical
  • 3=Errors
  • 4=Warnings
  • 5=Notifications
  • 6=Informational
  • 7=Debugging

So if you are debugging, then all you are doing is looking at syslog output thats severity 7. The ASA can send these logs to an internal memory buffer, and external Syslog server, or to the screen, either the console (via rollover cable) or the monitor (SSH/Telnet session, or what router types, call the virtual terminal lines).

Fine but I cant see anything doofus, that’s why I’m here!

OK, now you understand how it all works, you should understand when you see the commands, why it wasn’t working!

Issue a ‘show log’ command;

Logging Cisco ASA

What does this tell us? Well mose importantly it tells us logging in ON.

Syslog logging: enabled

If it were disabled then you turn it on with;

logging on

The next piece of pertinent information is.

Timestamp Logging: Disabled

While not critical, logs are much easier to interpret when they are stamped with the correct time! I’m in the UK so this is the command I would use (Note: I’m enabling NTP Time sync, this can take a while to synchronise);

clock timezone GMT 0 clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00

! ntp server 130.88.203.12 source outside

! logging timestamp

Sending Debug Output to the Screen

As mentioned above, you can send output to the console or the monitor;

Send Debug to SSH/Telnet Session

logging monitor debugging terminal monitor

Note: To disable, the command is ‘terminal no monitorNOT ‘no terminal monitor’ (Thanks Cisco!)

Sending Debug Output to the Console (Serial Connection)

Send Debug to SSH/Telnet Session

logging console debugging

Note: To stop it, set it back to ‘warnings’ (the default).

logging console warnings

Sending Debug Output to the Internal Log (Buffer)

This is easier, as you can filter the results for particular IP addresses/ports/usernames etc, which is handy if there are pages and pages to look though, and they are not scrolling past you yes, faster than you can read them!

logging buffered debug login buffer-size 1000000

Then to view the logs file;

show log

To clear the log;

clear logging buffer

To turn off;

no logging buffered debug

To Filter/Search the logs;

show log | include 192.168.100.1

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *