One of my firewalls hung and stopped VPN from working. Rebooting the firewall resolved the issue.
Is there a method on how I can tell what caused this? syslog is enabled but i'm not sure where the messages and logs are being transferred to because someone else configured this. Anyone know how I can figure this info out?
I also noticed a graphical interface. How is this viewed and configured?
you should install a syslog application e.g solarwind syslog or kiwi syslog both has different fearture but severs the purpose of syslog application well enough.
then log into your pix config mode and write these command
#logging host inside >you syslog system ip<
#logging trap informational or debugging
this will make the pix forward all logging messages to your syslog machine and later you can analyis what's causing the issue.
HTH, please rate it
thanks for the response
If I issue the show logging command, it gives me some info but not much is helpful. On the first line is says syslog enabled.
How can I view the syslog logs? I never setup the firewall so i'm not sure how the person configured it.
thats only the internal log buffer which is small. To capture the output, set up the syslog program mentioned above on a computer / server, make sure udp 514 is open and issue:
logging host inside (ip of syslog svr)
logging trap (level)
where level is info or debug.
This will give you plenty of log info
thanks for the reply
when I issue sh logging, it shows syslog enabled already.
Someone may have configured this on the firewall already. Is there any methods on how to figure out where the syslog program is outputing to?
did you installed and configued the pix as how i explained above?
are you saying you still cannot see the logs in your syslog application?
I will have to try it on Monday.
My concern is that someone has already configured it. When I issue the sh logging command it's telling me that syslog is enabled. What can that mean? I'm starting to assume that it's already generating logs but i'm not sure where they're output to.
If I install the syslog app, won't it capture errors going forward? I'm trying to figure out what caused the firewall to kill the vpn on Friday.
On the output of the "show logging" command you should see something like this:
Syslog logging: enabled
Timestamp logging: enabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level notifications, 233423171 messages logged
Trap logging: level notifications, 31732377 messages logged
Logging to outside 18.104.22.168
History logging: level errors, 4034648 messages logged
The key line above is the "Logging to outside 22.214.171.124" which says you have an external syslog server configured. If you don't have something similar to this (note that the "outside" is referring to the interface you are sending logs to - yours would probably show "inside") then you are only logging to the internal buffer as someone else has mentioned.
Get Kiwi and follow their instructions for setting up syslog - they have pretty good instructions for getting it to work on a PIX.
okay, I full understand now.
I have been speaking with someone in regards to this firewall and they stated that the memory becomes full and must be rebooted once per month.
Is there a way where I can list this information (total memory size, how much memory is being used, etc)
I know the syslog just gives you traffic information but I don't think it will give information related to the memory.
You can do a "show memory" command:
Free memory: 183018200 bytes
Used memory: 85417256 bytes
Total memory: 268435456 bytes
If the firewall is running out of memory and must be rebooted, you have a significant problem. I have not seen or heard of anything like that. What version of PIXOS are you running?
thanks for the response. I will have to issue this command the next time I run in to a problem. It's got 49405952 bytes free right now out of 67108864.
Here is the firewall info:
Cisco pix version 6.1(2)
Cisco pix device manager version 1.1(2)
If you are running ipsec, there is an issue in your version regarding a memory leak. It is bug # CSCdw38189 - see link below.
If the PIX crashes (reboots) you could attach a PC to the console of the FW and capture the console output (tracebacks) when the PIX reboots.
Also, the same technique can be used to make sure when it does reboot, there are no other errors showing up.
Regarding the GUI you show in the link - that is using a tool called Sawmill (http://www.sawmill.net) to analyze a log file.
You might download an eval copy to see if it works for you.
Good luck - Scott