Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Logging to a downed Syslog server

When the PIX logs to a syslog server, but that server is down, the router continuously sends icmp messages "host unreachable". The above scenario overloads the corporate network even though everything device is acting properly. Does anyone have any suggestions on what to do if a syslog server goes down, so the entire network is not affected? Thanks.

  • Other Security Subjects
5 REPLIES
Cisco Employee

Re: Logging to a downed Syslog server

This is a common issue where the PIX is also configured for IDS signatures, and it gets in a loop sending and receiving syslog messages. Basically it tries to send a syslog to the unavailable syslog server for every message it receives. It receives the ICMP host unreachable which fires off IDS signature 2001, which it then also tries to log to the syslog server, for which it receives another ICMP Unreachable, which it tries to log again, and so on and so on. It's relatively easy in this situation to spike the CPU on the PIX up high it goes crazy trying to log all those messages.

The easy workaround is just not to log those particular types of syslog messages, or turn off that IDS signature. One of the following two commands should do the trick for you:

ip audit signature 2001 disable

no logging message 400011

If this isn't your problem, then you need to give us more information about exactly what "overloading the corporate network" means?

New Member

Re: Logging to a downed Syslog server

That is exactly our problem. We only stumbled across this problem when I was trying Kiwi syslog on my laptop. I guess there is no way to have the messages disabled/turned off ONLY when this problem occurs? Or if the address for the syslog is not available, don't send logs? Anything like this?

New Member

Re: Logging to a downed Syslog server

Hi

Could you tell us the url link for this issue enabling IDS on unavailable syslog server might impact the PIX performance

Thanks

New Member

Re: Logging to a downed Syslog server

I didn't get any reply from my previous message about the url link so here my question what if the given below logging commands did not give any syslog server will enabling IDS still impact the pix performance ?

logging enable

logging timestamp

logging buffered debugging

logging trap debugging

logging queue 1024

Pls advise. TIA

New Member

Re: Logging to a downed Syslog server

why not just put

no ip unreachables

on the router interface facing the pix ?

Why not lop the problem off at the source ?

130
Views
12
Helpful
5
Replies
This widget could not be displayed.