What does 'link down" mean when viewing output of sh logging for a specific logging to server?

Unanswered Question
Jan 13th, 2010
User Badges:

On a 3560 I have (2) syslog servers defined. Both are up and operational and reachable via ping from the switch.  However on the second defined logging server on the output of the sh logging command it states a "link down" (see below for command output).  This syslog server is not receiving any syslog traps defined.  The logging defined is logging trap warnings.  I have verified trap messages are in the log output at the defined severity level and above(error/critical).  My assumption is that the link down has something to do with why no syslog is being sent to this server. 


   Logging to x.x.x.x  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link up),
              225 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled
        Logging to x.x.x.x  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link down),
              0 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled


thanks,

james

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
Jon Marshall Wed, 01/13/2010 - 07:39
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

fatboyinva wrote:


On a 3560 I have (2) syslog servers defined. Both are up and operational and reachable via ping from the switch.  However on the second defined logging server on the output of the sh logging command it states a "link down" (see below for command output).  This syslog server is not receiving any syslog traps defined.  The logging defined is logging trap warnings.  I have verified trap messages are in the log output at the defined severity level and above(error/critical).  My assumption is that the link down has something to do with why no syslog is being sent to this server. 


   Logging to x.x.x.x  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link up),
              225 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled
        Logging to x.x.x.x  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link down),
              0 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled


thanks,

james


James


You assumption is correct. For some reason the switch thinks that the second syslog server is not working hence the reason it doesn't send any messages.


I know you said you could ping it but can you confirm that the syslog service is actually up and running on the 2nd server and that there is filtering either


1) on the syslog server itself

2) along the path from the switch to the syslog server that is denying udp port 514


Jon

fatboyinva Wed, 01/13/2010 - 07:59
User Badges:

Jon,


To answer your questions:

  1) Syslog is running on the server.  The windows server is running Kiwi/Solarwinds.  When I do a netstat -an I see udp 514 listening:


UDP    0.0.0.0:514           *:*


I am also receiving other syslog data from Cisco switches on this syslog server. In addition windows firewall is turned off.



2) The only device between this Cisco 3560 and the syslog server is another Cisco switch (distribution switch).  No firewall or other blocking device exists in addition to any access lists.  Here's a sample traceroute;


Type escape sequence to abort.
Tracing the route to (x.x.x.x)

  1 x.x.x x msec 0 msec 0 msec
  2 (x.x.x.x) 9 msec 0 msec 0 msec


thanks for your reply.

LemmorOtazzir Wed, 06/23/2010 - 04:50
User Badges:

Hi Folks


Good Afternoon


I am facing the same issue as describe above with a few 4948's switches. I was wondering if any solution was found?


many thanks

jawill47ec Wed, 06/23/2010 - 13:18
User Badges:

Hello,


I did not find a fix, but the resolution in our case was to reload the switch.  That seemed to clear the ip sockets table.   Also, a helpful command that was used is sh ip sockets.  Here is a sample output:


Proto    Remote      Port      Local      Port     In Out Stat  TTY OutputIF
17     --listen--                  1.2.1.41    1975   0   0     11     0
17     0.0.0.0             0     1.2.1.41      67     0   0    2211   0
17     0.0.0.0             0     1.2.1.41    2228    0   0    211    0
17     10.1.1.1        60059  1.2.1.41     161    0   0    1       0
17   --listen--                     1.2.1.41     162    0   0   11      0
17   --listen--                     1.2.1.41   60380   0   0    1       0
17   --listen--          --any--                  161    0   0   20001  0
17   --listen--          --any--                  162    0   0   20011  0
17   --listen--          --any--                 64379  0   0   20001  0
17   --listen--                   1.2.1.41     123   0  0  1   0
17   172.17.9.2      514    1.2.1.41      58781   0   0  400201  0
17   172.17.8.2      514    1.2.1.41      55647   0   0  400201  0


thanks,

james

LemmorOtazzir Wed, 06/23/2010 - 14:08
User Badges:

thanks James I will try it.


Thanks again for that I do appreciate.


Rommel


On Wed, Jun 23, 2010 at 9:18 PM, jawill47ec <

yaleman13 Tue, 04/08/2014 - 19:48
User Badges:

Probably poor form to wake this up from many years ago, but we found today that turning off syslog and turning it back on (after confirming routes are OK) also reset this functionality - tested on a 3750. (It could have been the trap level as well, we changed this at the same time).

Commands:

# no logging trap warnings# logging trap informational

 

Chris Cheesman Tue, 09/20/2016 - 05:38
User Badges:

This is still a current solution!  Used it this morning on a pair of ASR1006 routers.  Many thanks.

Actions

This Discussion

Related Content