Pix Firewall Error Logs

Unanswered Question
Feb 16th, 2007

Hello,

One of my firewalls hung and stopped VPN from working. Rebooting the firewall resolved the issue.

Is there a method on how I can tell what caused this? syslog is enabled but i'm not sure where the messages and logs are being transferred to because someone else configured this. Anyone know how I can figure this info out?

I also noticed a graphical interface. How is this viewed and configured?

http://www.ciscopress.com/content/images/chap09_1587051583/elementLinks/fig03.jpg

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
zulqurnain Fri, 02/16/2007 - 22:31

hello danny,

you should install a syslog application e.g solarwind syslog or kiwi syslog both has different fearture but severs the purpose of syslog application well enough.

then log into your pix config mode and write these command

#logging host inside >you syslog system ip<

#logging trap informational or debugging

#logging on

this will make the pix forward all logging messages to your syslog machine and later you can analyis what's causing the issue.

HTH, please rate it

danny9797 Sat, 02/17/2007 - 05:45

thanks for the response

If I issue the show logging command, it gives me some info but not much is helpful. On the first line is says syslog enabled.

How can I view the syslog logs? I never setup the firewall so i'm not sure how the person configured it.

Thanks

milanod Sat, 02/17/2007 - 11:27

thats only the internal log buffer which is small. To capture the output, set up the syslog program mentioned above on a computer / server, make sure udp 514 is open and issue:

logging host inside (ip of syslog svr)

logging timestamp

logging trap (level)

where level is info or debug.

This will give you plenty of log info

danny9797 Sat, 02/17/2007 - 21:34

thanks for the reply

when I issue sh logging, it shows syslog enabled already.

Someone may have configured this on the firewall already. Is there any methods on how to figure out where the syslog program is outputing to?

Thanks again.

zulqurnain Sat, 02/17/2007 - 21:40

hello,

did you installed and configued the pix as how i explained above?

are you saying you still cannot see the logs in your syslog application?

danny9797 Sun, 02/18/2007 - 06:26

I will have to try it on Monday.

My concern is that someone has already configured it. When I issue the sh logging command it's telling me that syslog is enabled. What can that mean? I'm starting to assume that it's already generating logs but i'm not sure where they're output to.

If I install the syslog app, won't it capture errors going forward? I'm trying to figure out what caused the firewall to kill the vpn on Friday.

scottvivian Tue, 02/20/2007 - 07:38

On the output of the "show logging" command you should see something like this:

========================

Syslog logging: enabled

Facility: 20

Timestamp logging: enabled

Standby logging: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: level notifications, 233423171 messages logged

Trap logging: level notifications, 31732377 messages logged

Logging to outside 1.2.3.4

History logging: level errors, 4034648 messages logged

========================

The key line above is the "Logging to outside 1.2.3.4" which says you have an external syslog server configured. If you don't have something similar to this (note that the "outside" is referring to the interface you are sending logs to - yours would probably show "inside") then you are only logging to the internal buffer as someone else has mentioned.

Get Kiwi and follow their instructions for setting up syslog - they have pretty good instructions for getting it to work on a PIX.

Good luck!

Scott

danny9797 Tue, 02/20/2007 - 08:03

okay, I full understand now.

I have been speaking with someone in regards to this firewall and they stated that the memory becomes full and must be rebooted once per month.

Is there a way where I can list this information (total memory size, how much memory is being used, etc)

I know the syslog just gives you traffic information but I don't think it will give information related to the memory.

Thanks

scottvivian Tue, 02/20/2007 - 08:20

You can do a "show memory" command:

show mem

Free memory: 183018200 bytes

Used memory: 85417256 bytes

------------- ----------------

Total memory: 268435456 bytes

If the firewall is running out of memory and must be rebooted, you have a significant problem. I have not seen or heard of anything like that. What version of PIXOS are you running?

danny9797 Tue, 02/20/2007 - 13:40

thanks for the response. I will have to issue this command the next time I run in to a problem. It's got 49405952 bytes free right now out of 67108864.

Here is the firewall info:

Cisco pix version 6.1(2)

Cisco pix device manager version 1.1(2)

scottvivian Tue, 02/20/2007 - 14:19

If you are running ipsec, there is an issue in your version regarding a memory leak. It is bug # CSCdw38189 - see link below.

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdw38189%20

If the PIX crashes (reboots) you could attach a PC to the console of the FW and capture the console output (tracebacks) when the PIX reboots.

Also, the same technique can be used to make sure when it does reboot, there are no other errors showing up.

scottvivian Tue, 02/20/2007 - 14:22

Regarding the GUI you show in the link - that is using a tool called Sawmill (http://www.sawmill.net) to analyze a log file.

You might download an eval copy to see if it works for you.

Good luck - Scott

Actions

This Discussion