Hotspot Question
According to the logging configuration on the Cisco ASA, what will happen if syslog server 10.10.2.40 fails?
A. New connections through the ASA will be blocked and debug system logs will be sent to the internal buffer.
B. New connections through the ASA will be blocked and informational system logs will be sent to the internal buffer.
C. New connections through the ASA will be blocked and system logs will be sent to server 10.10.2.41.
D. New connections through the ASA will be allowed and system logs will be sent to server 10.10.2.41.
E. New connections through the ASA will be allowed and informational system logs will be sent to the internal buffer.
F. New connections through the ASA will be allowed and debug system logs will be sent to the internal buffer.
Pay attention to the protocol, if this syslog uses TCP or UDP.
TCP – blocked with syslog down
UDP – allowed with syslog down
Correct the answer is E
syslog connection is UDP
Can’t tell from the picture. If TCP, then it will block. If UDP, it will allow (UDP is connectionless. it can’t tell if the server is available or not). See 2nd link from horse’s message
B is correct
see
https://packetu.com/2016/06/28/careful-tcp-syslog-asa/
https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc6
From the link you`ve published:
“Since we are doing TCP based logging, the ASA can determine the status of the syslog server (or that it doesn’t exist). Since the connection cannot be established and log the activity, it defaults to disallowing new connections for transit traffic.
…
There are a couple of ways to solve this. The first method is to only use UDP based logging. The other way to solve this is with the following command.
asav-1(config)# logging permit-hostdown
”
How can one tell, from the screenshot, whether it`s UDP or TCP?
Regards,
CM
should be E, check the config of syslog server, if its not syslog-tls nothing will be blocked
is there any update on this? I do also not understand why a syslog failure should prevent new connections passing ASA?
Answer B is not correct. IMO i will go with E.
There is not enough detail showed in diagrams, Failure of Syslog server will not prevent new connection passing of ASA policy. In case of no additional syslog server configured, if connection to configured syslog fails, logs will be sent to internal buffer.
For exam verify configuration of syslogs servers.
IMHO, should be E, as long as the syslog connection is UDP. There must be missing a screenshot with the syslog server configuration.
TTFN,