02-02-2010 10:30 AM
We have a problem with a massive shipment of logs from the Admin context of our ACE to our syslog server ( 172.30.48.6). Traffic is such that the switch where the syslog is saturated. We send the message type, basically 2, which are being sent. Why are these shipping? It implies that the ACE or this context they have a problem.
Feb 2 2010 19:28:07 : %ACE-6-302027: Teardown ICMP connection for faddr 172.30.
48.6/0 gaddr 10.98.154.47/3 laddr 10.98.154.47/0
Feb 2 2010 19:28:07 : %ACE-6-302026: Built ICMP connection for faddr 172.30.48.
6/57483 gaddr 10.98.154.47/224 laddr 10.98.154.47/771
Feb 2 2010 19:28:07 : %ACE-6-302027: Teardown ICMP connection for faddr 172.30.
48.6/0 gaddr 10.98.154.47/3 laddr 10.98.154.47/0
Feb 2 2010 19:28:07 : %ACE-6-302026: Built ICMP connection for faddr 172.30.48.
6/37394 gaddr 10.98.154.47/146 laddr 10.98.154.47/771
Feb 2 2010 19:28:07 : %ACE-6-302027: Teardown ICMP connection for faddr 172.30.
48.6/0 gaddr 10.98.154.47/3 laddr 10.98.154.47/0
Feb 2 2010 19:28:07 : %ACE-6-302026: Built ICMP connection for faddr 172.30.48.
6/57483 gaddr 10.98.154.47/224 laddr 10.98.154.47/771
Feb 2 2010 19:28:07 : %ACE-6-302027: Teardown ICMP connection for faddr 172.30.
48.6/0 gaddr 10.98.154.47/3 laddr 10.98.154.47/0
02-02-2010 01:56 PM
Hello,
It sounds like you might be hitting the following bug. This one logged for the ACE 4710 and there is a similar one logged for the ACE Module:
CSCsx82538 - Unreachable logging host causes the Syslogd process to spike (ACE 4710)
This bug is expected to be fixed in the ACE 4710 A3(2.5) release which is due out very soon. If you are using the ACE module, you can get the fix in the currently available A2(2.3) software release.
The problem is seen when you configure a syslog server on the ACE that isn't yet listening for syslog. This reason behind this problem is:
When you configure a logging host and if that host/port is not reachable then we will get a port unreachable error message from the host.
For this error message we will be generating two messages from ICM
1. Built ICMP connection.
2. Teardown ICMP connection.
We will send above two messages to the host through syslogd. As a result, we will get another two port unreachable error messages from the host. For these messages we will be sending another four syslog messages again. This loop is causing the syslogd to spike.
Hope this helps,
Sean
02-03-2010 02:06 AM
I have an ACE module, this bug can affect too?
Cisco Application Control Software (ACSW)
----
Software
loader: Version 12.2[120]
system: Version A2(2.0) [build 3.0(0)A2(2.0)]
system image file: [LCP] disk0:c6ace-t1k9-mz.A2_2_0.bin
installed license: ACE-16G-LIC ACE-VIRT-020 ACE-SEC-LIC-K9 ACE-SSL-15K-K9
Hardware
Cisco ACE (slot: 9)
cpu info:
number of cpu(s): 2
cpu type: SiByte
cpu: 0, model: SiByte SB1 V0.2, speed: 700 MHz
cpu: 1, model: SiByte SB1 V0.2, speed: 700 MHz
memory info:
total: 955988 kB, free: 221312 kB
shared: 0 kB, buffers: 4204 kB, cached 0 kB
cf info:
filesystem: /dev/cf
total: 1014624 kB, used: 448480 kB, available: 566144 kB
last boot reason: NP 2 Failed : NP ME Hung
configuration register: 0x1
ACE_ITX_A kernel uptime is 15 days 20 hours 18 minute(s) 30 second(s)
I envisage an increase in the A2(2.3) version, this error will it continue?
Thank you very much for your help.
02-03-2010 05:32 AM
Hello,
As I mentioned in my original response:
If you are using the ACE module, you can get the fix in the currently available A2(2.3) software release.
This is, of course, assuming this bug is indeed your issue. Peter offered one work-around of suppressing the log messages. The other would be to remove the syslog server from your config that is sending back the ICMP port-unreachables until it is addressed. The bug for the module is CSCtc54103.
Thank you,
Sean
02-03-2010 07:10 AM
Thank you very much you both for your help!!
02-02-2010 02:53 PM
no logging message 302026
no logging message 302027
(-:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: