04-10-2006 12:07 PM - edited 03-09-2019 02:34 PM
When the PIX logs to a syslog server, but that server is down, the router continuously sends icmp messages "host unreachable". The above scenario overloads the corporate network even though everything device is acting properly. Does anyone have any suggestions on what to do if a syslog server goes down, so the entire network is not affected? Thanks.
04-10-2006 11:02 PM
This is a common issue where the PIX is also configured for IDS signatures, and it gets in a loop sending and receiving syslog messages. Basically it tries to send a syslog to the unavailable syslog server for every message it receives. It receives the ICMP host unreachable which fires off IDS signature 2001, which it then also tries to log to the syslog server, for which it receives another ICMP Unreachable, which it tries to log again, and so on and so on. It's relatively easy in this situation to spike the CPU on the PIX up high it goes crazy trying to log all those messages.
The easy workaround is just not to log those particular types of syslog messages, or turn off that IDS signature. One of the following two commands should do the trick for you:
ip audit signature 2001 disable
no logging message 400011
If this isn't your problem, then you need to give us more information about exactly what "overloading the corporate network" means?
04-11-2006 11:36 AM
That is exactly our problem. We only stumbled across this problem when I was trying Kiwi syslog on my laptop. I guess there is no way to have the messages disabled/turned off ONLY when this problem occurs? Or if the address for the syslog is not available, don't send logs? Anything like this?
04-18-2006 03:23 AM
Hi
Could you tell us the url link for this issue enabling IDS on unavailable syslog server might impact the PIX performance
Thanks
04-19-2006 05:37 AM
I didn't get any reply from my previous message about the url link so here my question what if the given below logging commands did not give any syslog server will enabling IDS still impact the pix performance ?
logging enable
logging timestamp
logging buffered debugging
logging trap debugging
logging queue 1024
Pls advise. TIA
04-24-2006 05:35 AM
why not just put
no ip unreachables
on the router interface facing the pix ?
Why not lop the problem off at the source ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide