Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

What does 'link down" mean when viewing output of sh logging for a specific logging to server?

On a 3560 I have (2) syslog servers defined. Both are up and operational and reachable via ping from the switch.  However on the second defined logging server on the output of the sh logging command it states a "link down" (see below for command output).  This syslog server is not receiving any syslog traps defined.  The logging defined is logging trap warnings.  I have verified trap messages are in the log output at the defined severity level and above(error/critical).  My assumption is that the link down has something to do with why no syslog is being sent to this server. 

   Logging to x.x.x.x  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link up),
              225 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled
        Logging to x.x.x.x  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link down),
              0 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled

thanks,

james

Everyone's tags (1)
10 REPLIES
Hall of Fame Super Blue

Re: What does 'link down" mean when viewing output of sh logging

fatboyinva wrote:

On a 3560 I have (2) syslog servers defined. Both are up and operational and reachable via ping from the switch.  However on the second defined logging server on the output of the sh logging command it states a "link down" (see below for command output).  This syslog server is not receiving any syslog traps defined.  The logging defined is logging trap warnings.  I have verified trap messages are in the log output at the defined severity level and above(error/critical).  My assumption is that the link down has something to do with why no syslog is being sent to this server. 

   Logging to x.x.x.x  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link up),
              225 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled
        Logging to x.x.x.x  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link down),
              0 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled

thanks,

james

James

You assumption is correct. For some reason the switch thinks that the second syslog server is not working hence the reason it doesn't send any messages.

I know you said you could ping it but can you confirm that the syslog service is actually up and running on the 2nd server and that there is filtering either

1) on the syslog server itself

2) along the path from the switch to the syslog server that is denying udp port 514

Jon

New Member

Re: What does 'link down" mean when viewing output of sh logging

Jon,

To answer your questions:

  1) Syslog is running on the server.  The windows server is running Kiwi/Solarwinds.  When I do a netstat -an I see udp 514 listening:

UDP    0.0.0.0:514           *:*

I am also receiving other syslog data from Cisco switches on this syslog server. In addition windows firewall is turned off.

2) The only device between this Cisco 3560 and the syslog server is another Cisco switch (distribution switch).  No firewall or other blocking device exists in addition to any access lists.  Here's a sample traceroute;

Type escape sequence to abort.
Tracing the route to (x.x.x.x)

  1 x.x.x x msec 0 msec 0 msec
  2 (x.x.x.x) 9 msec 0 msec 0 msec

thanks for your reply.

New Member

Re: What does 'link down" mean when viewing output of sh logging

Hi Folks

Good Afternoon

I am facing the same issue as describe above with a few 4948's switches. I was wondering if any solution was found?

many thanks

New Member

Re: What does 'link down" mean when viewing output of sh logging

Hello,

I did not find a fix, but the resolution in our case was to reload the switch.  That seemed to clear the ip sockets table.   Also, a helpful command that was used is sh ip sockets.  Here is a sample output:

Proto    Remote      Port      Local      Port     In Out Stat  TTY OutputIF
17     --listen--                  1.2.1.41    1975   0   0     11     0
17     0.0.0.0             0     1.2.1.41      67     0   0    2211   0
17     0.0.0.0             0     1.2.1.41    2228    0   0    211    0
17     10.1.1.1        60059  1.2.1.41     161    0   0    1       0
17   --listen--                     1.2.1.41     162    0   0   11      0
17   --listen--                     1.2.1.41   60380   0   0    1       0
17   --listen--          --any--                  161    0   0   20001  0
17   --listen--          --any--                  162    0   0   20011  0
17   --listen--          --any--                 64379  0   0   20001  0
17   --listen--                   1.2.1.41     123   0  0  1   0
17   172.17.9.2      514    1.2.1.41      58781   0   0  400201  0
17   172.17.8.2      514    1.2.1.41      55647   0   0  400201  0

thanks,

james

New Member

Re: What does 'link down" mean when viewing output of sh lo

thanks James I will try it.

Thanks again for that I do appreciate.

Rommel

On Wed, Jun 23, 2010 at 9:18 PM, jawill47ec <

New Member

Probably poor form to wake

Probably poor form to wake this up from many years ago, but we found today that turning off syslog and turning it back on (after confirming routes are OK) also reset this functionality - tested on a 3750. (It could have been the trap level as well, we changed this at the same time).

Commands:

# no logging trap warnings

# logging trap informational

 

New Member

Not at all, this solution

Not at all, this solution worked for us. Thank you for posting!

New Member

Thank you!  This worked for

Thank you!  This worked for us on a 6509E.

New Member

This is still a current

This is still a current solution!  Used it this morning on a pair of ASR1006 routers.  Many thanks.

Anonymous
N/A

Worked for me for our IE2000s

Worked for me for our IE2000s. Changing the logging level is what did it. Changed it to informational the link came up. Changed it back to warning and the link stayed up. 

12420
Views
25
Helpful
10
Replies