cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4920
Views
0
Helpful
11
Replies

What does this Syslog entry mean?

jaesposito
Level 1
Level 1

All,

Can somebody educate me as to what the below syslog entries mean?

=================================

017842: Apr  3 22:31:17: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 4 packets
017846: Apr  3 22:32:17: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 4 packets
017851: Apr  3 22:33:17: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 4 packets
017855: Apr  3 22:34:17: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 9 packets

017990: Apr  3 23:02:17: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 10 packets
017994: Apr  3 23:03:17: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 4 packets

018004: Apr  3 23:05:17: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 8 packets
018008: Apr  3 23:06:17: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 8 packets
018012: Apr  3 23:07:17: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 5 packets
018016: Apr  3 23:08:17: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 4 packets

=================================

I'd like to know if this may be affected outbound traffic from my Ethernet to my Dialer1 interface.

James E

11 Replies 11

Hi,

Explanation for the syslog message:

Some packet-matching logs were missed because the access list log messages were rate limited, or no access list log buffers were available.

Most likely, you have logging enabled for the ACL and there were more matches that the log can handle or the buffers were full at that moment.

In theory, this should not affect traffic. It is just telling you that at that moment, the ASA was not able to log the packets from the access-list.

Check your configuration to see if you have logging enabled for all the ACLs, and the size of the buffer for the logs.

Federico.

I'd like to increase the buffers so I can log those matches (as opposed to receiving the rate-limiting messages).  Can you help me tweak my configuration to capture these matches in syslog?

Here is my config:

=============================================================

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
logging userinfo
logging buffered 1048576 informational
no logging console
enable secret 5 XXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local enable
aaa authentication login userauthen local
aaa authorization exec default local if-authenticated
aaa authorization commands 15 default local if-authenticated
aaa authorization network default local if-authenticated
aaa authorization network groupauthor local if-authenticated
!
aaa session-id common
clock timezone EST -5
clock summer-time EST recurring
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool CLIENT
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   lease 0 2
!
!
ip cef
ip domain name Router
ip host Router 10.10.10.1
ip name-server 205.152.144.23
ip name-server 205.152.132.23
no ip bootp server
ip flow-cache timeout active 1
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
login block-for 60 attempts 3 within 60
login on-failure log
login on-success log
!
!
!
username YYYYYYYY password 7 XXXXXXXXXXXXXXXXXX
archive
log config
  logging enable
  notify syslog
  hidekeys
!
!
ip ssh time-out 60
ip ssh version 2
!
!
!
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip access-group FromLAN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface Ethernet2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
hold-queue 100 out
!
interface ATM0
bandwidth 384
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
  vbr-nrt 384 384
  max-reserved-bandwidth 80
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
shutdown
duplex auto
speed auto
!
interface FastEthernet3
shutdown
duplex auto
speed auto
!
interface FastEthernet4
shutdown
duplex auto
speed auto
!
interface Dialer1
bandwidth 384
ip address negotiated
ip access-group FromInternet in
ip verify unicast reverse-path
ip mtu 1492
ip nat outside
ip inspect myfw out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name redback
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname XXXXXXXX

ppp chap password 7 XXXXXXXXXXXXXXXXXX
ppp pap sent-username XXXXXXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXXXXX
ppp ipcp dns request
ppp ipcp wins request
!
ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
!
ip nat inside source list 23 interface Dialer1 overload
!
!
ip access-list extended FromInternet
permit ip 66.175.107.192 0.0.0.31 any log
permit ip host 74.233.236.14 any log
  permit ip host 205.152.144.23 any log
permit ip host 204.152.132.23 any log
  permit ip 65.25.8.224 0.0.0.31 any log
permit ip 69.25.240.224 0.0.0.31 any log
permit ip host 66.165.74.175 any log
  permit ip host 67.51.255.195 any log
permit ip host 66.165.74.195 any log
permit ip host 204.245.225.195 any log
  permit ip host 204.245.227.39 any log
  permit ip 65.215.93.0 0.0.0.255 any log
permit ip host 192.92.91.53 any log
  permit ip 67.151.126.192 0.0.0.31 any log
permit ip host 66.38.151.217 any log
  permit ip host 93.184.71.27 any log
permit ip 89.202.149.32 0.0.0.31 any log
permit ip 89.202.157.224 0.0.0.31 any log
permit ip 89.202.157.192 0.0.0.31 any log
permit ip host 90.183.101.10 any log
permit ip 62.67.184.64 0.0.0.31 any log
permit ip host 93.184.71.10 any log
permit ip host 93.184.71.21 any log
  permit tcp host 69.173.64.15 any eq 123 log
permit udp host 69.173.64.15 any eq ntp log
permit tcp host 66.254.57.165 any eq 123 log
permit udp host 66.254.57.165 any eq ntp log
  deny   ip host 0.0.0.0 any log
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 192.168.0.0 0.0.255.255 any
deny   ip 224.0.0.0 31.255.255.255 any
deny   ip 169.254.0.0 0.0.255.255 any
deny   ip 66.252.232.0 0.0.1.255 any
deny   ip 216.89.237.0 0.0.0.255 any
  deny   udp any any eq netbios-ns log-input
deny   udp any any eq netbios-dgm log-input
deny   tcp any any eq 135 log-input
deny   tcp any any eq 139 log-input
deny   tcp any any eq 443 log-input
deny   tcp any any eq 445 log-input
deny   udp any any eq 1434 log-input
deny   tcp any any eq 3389 log-input
deny   tcp any any eq 4444 log-input
  deny   tcp any any eq telnet log-input
deny   tcp any any eq www log-input
  deny   icmp any any echo log-input
  permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit icmp any any source-quench
  deny   ip any any
ip access-list extended FromLAN
  permit udp any host 205.152.144.23 eq domain
permit udp any host 204.152.132.23 eq domain
permit udp any host 10.10.10.1 eq domain
permit tcp any host 205.152.144.23 eq domain
permit tcp any host 204.152.132.23 eq domain
permit tcp any host 10.10.10.1 eq domain
  permit ip any 65.25.8.224 0.0.0.31 log
permit ip any 69.25.240.224 0.0.0.31 log
permit ip any host 66.165.74.175 log
  permit ip any host 67.51.255.195 log
permit ip any host 66.165.74.195 log
permit ip any host 204.245.225.195 log
  permit ip any host 204.245.227.39 log
  permit ip any 67.151.126.192 0.0.0.31 log
permit ip any host 66.38.151.217 log
  permit ip any 65.215.93.0 0.0.0.255 log
permit ip any host 192.92.91.53 log
  permit ip any host 66.165.171.186 log
  permit ip any host 93.184.71.27 log
permit ip any 89.202.149.32 0.0.0.31 log
permit ip any 89.202.157.192 0.0.0.31 log
permit ip any 89.202.157.224 0.0.0.31 log
permit ip any host 90.183.101.10 log
permit ip any 62.67.184.64 0.0.0.31 log
permit ip any host 93.184.71.10 log
permit ip any host 93.184.71.21 log
  permit ip any host 72.3.254.86 log
  permit ip any host 12.34.65.180 log
permit ip any 64.28.78.160 0.0.0.31 log
permit ip any host 198.171.138.207 log
permit ip any host 209.161.16.30 log
permit ip any host 82.165.61.145 log
  permit ip any 12.34.65.0 0.0.0.255 log
  permit udp any any eq bootps bootpc
permit udp any any eq bootps bootps
  permit ip any 171.128.0.0 0.63.255.255 log
permit ip any 171.192.0.0 0.7.255.255 log
permit ip any 171.200.0.0 0.3.255.255 log
permit ip any 171.204.0.0 0.1.255.255 log
permit ip any 171.206.0.0 0.1.255.255 log
  permit ip any 66.175.107.192 0.0.0.31 log
  permit tcp any host 140.239.191.10 log
permit udp any host 140.239.191.10 log
  permit tcp any host 12.148.220.160 log
permit udp any host 12.148.220.160 log
  permit tcp any 209.46.44.0 0.0.0.255 log
permit udp any 209.46.44.0 0.0.0.255 log
  deny   ip any host 64.4.20.174 log
deny   ip any host 64.4.20.169 log
deny   ip any host 64.4.20.184 log
deny   ip any host 64.4.20.186 log
  deny   ip any host 80.12.96.17 log
deny   ip any host 80.12.96.64 log
deny   ip any host 192.204.11.25 log
deny   ip any host 192.204.11.35 log
deny   ip any host 192.204.11.49 log
deny   ip any host 192.204.11.80 log
deny   ip any host 198.64.174.41 log
deny   ip any host 198.64.174.64 log
deny   ip any host 209.107.220.27 log
deny   ip any host 209.107.220.35 log
deny   ip any host 209.107.220.59 log
deny   ip any host 209.107.220.82 log
  deny   ip any host 65.54.165.136 log
deny   ip any host 65.54.165.137 log
deny   ip any host 65.54.165.175 log
deny   ip any host 65.54.165.177 log
deny   ip any host 65.54.186.17 log
deny   ip any host 65.54.186.19 log
deny   ip any host 65.54.186.47 log
deny   ip any host 65.54.186.49 log
deny   ip any host 65.54.186.77 log
deny   ip any host 65.54.186.79 log
deny   ip any host 65.54.186.107 log
deny   ip any host 65.54.186.109 log
  deny   ip any host 65.55.17.25 log
deny   ip any host 65.55.17.26 log
deny   ip any host 65.55.17.27 log
  permit tcp any 62.67.184.64 0.0.0.31 eq www 443 log
permit tcp any 64.0.0.0 0.0.255.255 eq www 443 log
permit tcp any 64.4.0.0 0.0.63.255 eq www 443 log
permit tcp any 64.94.0.0 0.1.255.255 eq www 443 log
permit tcp any 64.142.64.0 0.0.63.255 eq www 443 log
permit tcp any 64.158.0.0 0.0.255.255 eq www 443 log
permit tcp any 64.211.0.0 0.0.127.255 eq www 443 log
permit tcp any 64.211.128.0 0.0.63.255 eq www 443 log
permit tcp any 64.211.192.0 0.0.31.255 eq www 443 log
permit tcp any 64.212.0.0 0.3.255.255 eq www 443 log
permit tcp any 65.48.0.0 0.7.255.255 eq www 443 log
permit tcp any 65.59.0.0 0.0.255.255 eq www 443 log
permit tcp any 68.142.64.0 0.0.63.255 eq www 443 log
permit tcp any 207.46.0.0 0.0.255.255 eq www 443 log
permit tcp any 207.138.0.0 0.0.255.255 eq www 443 log
permit tcp any 208.73.208.0 0.0.7.255 eq www 443 log
permit tcp any 208.172.0.0 0.0.255.255 eq www 443 log
permit tcp any 213.138.128.0 0.0.31.255 eq www 443 log
  permit ip any host 74.233.55.33 log
  deny   ip any any
logging history debugging
logging trap debugging
logging origin-id hostname
logging source-interface Dialer1
logging 74.233.236.14
access-list 23 permit 10.10.10.0 0.0.0.255 log
access-list 23 deny   any log
access-list 25 permit 74.233.236.14 log
access-list 25 permit 66.175.107.192 0.0.0.31 log
access-list 25 deny   any log
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
banner motd ^CCC
*** Unauthorized access is strictly prohibited.  ALL connections are monitored.
***^C
!
line con 0
exec-timeout 15 0
no modem enable
stopbits 1
line aux 0
exec-timeout 15 0
stopbits 1
line vty 0 4
access-class 25 in
exec-timeout 120 0
password 7 XXXXXXXXXXXXXXXXXX
length 0
transport input ssh
!
scheduler max-task-time 5000
ntp logging
ntp authenticate
ntp clock-period 17179494
ntp source Dialer1
ntp server 69.173.64.15
ntp server 66.254.57.165
end

James

You may not necessarily want to do this as it can consume too many router processes. Increasing the buffer size takes more memory away from other processes. You may want to look at sending your messages to a syslog server.

Rate-limiting can also be turned off but again it can impact on the router performance.

A lot does depend on how much spare resource ie. CPU/memory you have on your router currently. Have a look at the command reference covering logging and decide if you want to do this -

http://www.cisco.com/en/US/customer/docs/ios/netmgmt/command/reference/nm_09.html

Jon

Jon,

Take a peak at my config. I am sending the syslog messages to a server. However, I'm also keeping them in the buffer as well.

James

James

Oops, sorry didn't look at the config

If you are logging to a syslog server then i wouldn't worry too much about increasing your buffer but you may want to turn off rate-limiting. It depends on just how much logging is happening ie. how often the acl is hit. Rate-limiting and having a buffer limit are there to protect the router and if the acl is hit a log that would generate a lot of logging and network traffic if you are logging to a syslog server.

Jon

Jon,

How can I turn off rate-limiting?

Also, should I be more concerned with memory or CPU usage when turning off rate-limiting?

Thanks!

James

jaesposito wrote:

Jon,

How can I turn off rate-limiting?

Also, should I be more concerned with memory or CPU usage when turning off rate-limiting?

Thanks!

James

James

That was why i sent you the link to the command reference for logging It covers a lot of what you are asking

rate-limiting

As far as i know rate-limiting is more of a CPU thing but it does depend as i said on what the current usage of both are at the moment.

Jon

Jon Marshall
Hall of Fame
Hall of Fame

jaesposito wrote:

All,

Can somebody educate me as to what the below syslog entries mean?

=================================

017842: Apr  3 22:31:17: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 4 packets
017846: Apr  3 22:32:17: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 4 packets
017851: Apr  3 22:33:17: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 4 packets
017855: Apr  3 22:34:17: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 9 packets

017990: Apr  3 23:02:17: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 10 packets
017994: Apr  3 23:03:17: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 4 packets

018004: Apr  3 23:05:17: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 8 packets
018008: Apr  3 23:06:17: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 8 packets
018012: Apr  3 23:07:17: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 5 packets
018016: Apr  3 23:08:17: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 4 packets

=================================

I'd like to know if this may be affected outbound traffic from my Ethernet to my Dialer1 interface.

James E

James

It is simply to do with logging ie. it has nothing to do with the actual traffic passing through the router -

Error message decoder

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

You can use the ''logging size'' command to change the logger configuration size. This specifies the
maximum number of entries retained in the configuration log. (1-1000). Default is 100

To control how much system memory may be used for queued messages, use the ''logging queue-limit'' command.

To adjust the limit of messages logged per second, use the ''logging rate-limit'' command.

You can set the buffer size for logs, using the command ''logging buffer buffer-size''

Federico.

Federico,

What are the default values for all of those configuration parameters?

Thanks!

James

Default values:


logging size = 100
logging queue-limit = 100
logging rate-limit = 10

Caution with the ''logging rate-limit'' command as it specifies the number of messages to be logged per second and
as Jon said, it could cause performance issues if you modify this setting.

The default value for logging buffer buffer-size is platform dependent.

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: