rsyslog does not write remote messsages to log file from specific host

I have setup an rsyslog server (based on CentOS 6) that works fine with some remote hosts. But, when I added a Cisco ASA firewall, it does log its messages!

The rsyslog.conf is the following:

# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

The configuration file is the following:

##RSYSLOG configuration file for Remote Logs
$FileCreateMode 0640 
$template PerHostLog,"/var/log/remote/%HOSTNAME%.log"

if ($fromhost-ip startswith '10.1.5' or $fromhost-ip startswith '10.2.8') then -?PerHostLog
& ~

Is there anything wrong with those rules? TCPdumps show that messages from 10.2.8.1 host reach the server, but syslog chose to ignore them. Why??

Solution 1:

I solved it. It was a routing(!) error. Server could not reach the message originator, thus, the message was not processed from rsyslog... Go figure...

Solution 2:

I was having the same issue. Receiving logs from dozens of ASA devices but not from specific one. Tcpdump showed that the packets were arriving. My problem was that the kernel was filtering its packets. Solved by modifying these two keys in /etc/sysctl.conf:

net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0

I had to restart the server because sysctl -p was returning errors from a couple of keys that I didn't want to modify