Thank you for the reply. We have always logged straight to KIWI running on an NT machine and never used PFSS. I first encountered this when I was trying to log to a server on the otherside of my vpn. After a few minutes the pix started refusing all connections. We disabled syslogging and the pix opened back up after a few minutes. I opened a case at that time and the TAC person told me about the article. I started using an inside server for syslogging that did not rely on the vpn tunnel and never experienced it again. Now I have another one of my divisions that experiencing the same problem only their server is on the same subnet. I told them to discontinue using syslog until I could find the answer. As soon as they turned off the syslog they were able to operate as usual. We checked the CPU and it was not even breaking a sweat when syslogging was on. We are using version 6.2.2 On a pix 506.

Syslog is UDP port 514 and so the PIX doesn't know if the packets are received by the syslog or not. So it's not a communication issue between the syslog server and the PIX. The syslog can be up or down and the PIX will send packets to it. My guess is that when you enable the logging, that process is messing with another process on the PIX, preventing traffic. So I think it's a bug. My recommendation would be do a show tech-support and open a case with TAC. Also look at your show xlates and show conn local/for x.x.x.x when the connections stop.

Let us know what happens as this is a good one.

Steve

Steve,

Here is the answer from TAC. We were using TCP to syslog and we changed to UDP and it worked fine from that point on.

Cheri,

I'm Marty and I will be assisting you with your Pix issue. When you enable the syslog, did you indicate in the logging host command that the message should be sent to the syslog server through the TCP port? If you have then this could be your problem. If for any reason the Pix cannot connect to the syslog server it stops passing traffic. The reason for this is because the Pix has been configure to send the message with information pertaining to the connections being made. If it can't send the messages it won't allow new connections until it can record the infomation about the connections again. This only happens with TCP cofigured because of the way TCP works. The Pix has to receive the SYN ACK from the syslog server in order to send the messages. With UDP beign connectionless, the Pix just records the infomation and sends the messages not caring whether or not the server is responding. Take a look at you config and see if the logging host command has "6/xxx", the xxx being a number representing the port. If it does remove the command and re-enter it without specifying a protocol and port. This will cause the Pix to use the default UDP port of 514. If you don't see this at the end of the command, send me a show tech from the Pix with syslogging enabled. Thank you, Martin Oeinck Security Team 904-443-6528 x34885