Cannot see debug message in ASA through SSH

Hi, I setup debug in failover ASA as below. I cannot see any debug message through SSH. If I telnet onto the ASA, I can see it, but if SSH, I cannot see it. Anyone has some suggestion ? Thank you

--------------
logging on
logging monitor debugging
eemoonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Ref to see if this helps
Log to Telnet or SSH sessions on the firewall:
FWSM 2.x
Firewall(config)# logging monitor level

PIX 6.x
Firewall(config)# logging monitor level

PIX 7.x
Firewall(config)# logging monitor {level | event-list}

If you have a remote firewall Telnet or SSH session open, you might want to see logging messages as they are generated. Messages are displayed if they are at or below the specified severity level: emergencies (0), alerts (1), critical (2), errors (3), warnings (4), notifications (5), informational (6), or debugging (7).

To see the logging messages in the current session as they are generated, use the terminal monitor EXEC command. (In PIX 6.3, you must be in configuration mode to use this command. In addition, the most recently initiated Telnet session receives the session logging output by default, because terminal monitor mode is active until it is disabled.) To stop seeing the messages, use the EXEC command terminal no monitor.

With PIX 7.x, you can also use a policy to select which messages are displayed. Messages that are matched by the event list named event-list (defined in Step 2) are forwarded to the logging destination.
http://www.ciscopress.com/articles/article.asp?p=424447&seqNum=2

Specifically, this article shed some light on such encounter
One thing to note about logging to Telnet\SSH sessions using the monitor destination. Whilst you may have this enabled and will be able to see the messages logged count in the above output rising each time, you may find yourself confused as to why, whilst SSH’d on to your ASA, you aren’t seeing the logs on your screen.

To view logs for the current session, assuming they are enabled, you need to type this command in whilst connected:

ASA#terminal monitor

and the logs will start appearing according to the severity level you have set.
http://vegaskid.net/2013/03/logging-options-on-the-cisco-asa/
0
eemoonAuthor Commented:
Thank you so much for your fast reply. I am using ASA 8.4. I setup debug level(as below) for telnet and ssh in the ASA. When I log onto the ASA from a neighbor router(using telnet and ssh respectively ), it is strange why the asa can show debug message by telnet, but not by SSH ?

--------------
logging on
logging monitor debugging
0
btanExec ConsultantCommented:
Thoughts:
-So the terminal monitor stated in last post is of no effect? E.g.
Step 1 - logging monitor {severity_level | message_list}
Example: hostname(config)# logging monitor 6
Step 2 - terminal monitor Example: hostname(config)# terminal monitor
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/monitor_syslog.html#wp1134700

-What about if there is no router as intermediary, any differences?
-In past, this has not happened or only after upgrade or changes made, if any?
-How about if we use the "show logging" command to verify where logging messages are being sent?

To share, starting in 8.4(2), no longer can we connect to the ASA using SSH with the pix or asa username and the login password. Hence to use SSH, we must configure AAA authentication using
- AAA authentication ssh console LOCAL command (CLI); or
- Configuration > Device Management > Users/AAA > AAA Access > Authentication (ASDM);
Then define a local user by entering the username CLI; or
- Choose Configuration > Device Management > Users/AAA > User Accounts (ASDM)

Wonder any diff if we try other local user via telnet and ssh?
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

btanExec ConsultantCommented:
0
eemoonAuthor Commented:
I think the issue is the below two commands cannot work no matter who test it or which device you use
diagram is like this:   device(router, switch or others) ----------- ASA

After telnet or SSH to the ASA from the device, we can see debug message only through telnet, not SSH


Configuration in the ASA:

logging on
logging monitor debugging
0
btanExec ConsultantCommented:
Doesnt seems to have "terminal monitor" though. Considerations

a) All devices as intermediary should be transparently bridged.  But there may be some modem/routers that blocked some things like that even when bridged.

b) ASA does not allowed to telnet its interface from outside. If you are sure that from inside you can ssh the ASA, then you might have set the wrong IP in the command #"ssh <your ip> <your mask> outside". You can you can try to open up every IP to SSH #"ssh 0 0 outside" (do not need any access-list for doing ssh to ASA, use 255.255.255.255 or define a network in place of host)

I am also thinking to enable ssh debugging (#debug ssh) to see any error
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118075-configure-asa-00.html
0
eemoonAuthor Commented:
Thank you for your reply. SSH loging onto the ASA is not a problem. The problem is that I cannot see debug message through SSH after using that two commands, can you ?
0
btanExec ConsultantCommented:
i have no access to device. but heard from other it should be alright hence I suspect there are certain device is blocking but looks like it is working locally to ASA direct. Furthermore, if terminal monitor is enabled and still do not see it then not sure if the firmware is on issue  or update done recently if in the past it is ok when done similarly...
0
eemoonAuthor Commented:
Thank you. I can not see debug message in ASA in production. Then I go to Lab. I found that two commands is essential and enough to see debug message in ASA if telnet to ASA, but not SSH. So lab and production are same. That is why I am pretty sure that two commands can work well for telnet in ASA. terminal monitor is for router.
0
btanExec ConsultantCommented:
Thanks for sharing - sure I am just verifying as terminal monitor is to enable logging to the current session only.
Send Logging Information to a Telnet/SSH Session
logging monitor severity_level
terminal monitor

Logging monitor enables syslog messages to display as they occur when you access the ASA console with Telnet or SSH and the command terminal monitor is executed from that session. In order to stop the printing of logs to your session, enter the no terminal monitor command.
Brief - http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc9
CLI - http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/monitor_syslog.html#pgfId-1134700

Likewise seeing what will you be seeing if we custom create message of certain id of your showing in staging and production.
Enter these commands in order to create a message list, which includes all the severity 2 (critical) messages with the addition of message 611101 to 611323, and also have them sent to the console:
logging list my_critical_messages level 2
logging list my_critical_messages message 611101-611323
logging console my_critical_messages
Otherwise I believe it is being blocked or harden per se for outbound from monitor session is not shown... doubt also we need to reboot ASA
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
eemoonAuthor Commented:
Hi btan

Thank you so much for your reply. and I am sorry for the late response due to my another project.
Yes, you are right. Based on the commands you provided and my test, I think the minimum requirement for us to see debug message through SSH is like this:

logging on
logging monitor
terminal monitor
logging enable
0
btanExec ConsultantCommented:
Thanks for sharing
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.