Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
390
Views
12
Helpful
5
Replies

Logging to a downed Syslog server

markbowman
Level 1
Level 1

‎04-10-2006 12:07 PM - edited ‎03-09-2019 02:34 PM

When the PIX logs to a syslog server, but that server is down, the router continuously sends icmp messages "host unreachable". The above scenario overloads the corporate network even though everything device is acting properly. Does anyone have any suggestions on what to do if a syslog server goes down, so the entire network is not affected? Thanks.

Labels:
0 Helpful
5 Replies 5

gfullage
Cisco Employee
Cisco Employee

‎04-10-2006 11:02 PM

This is a common issue where the PIX is also configured for IDS signatures, and it gets in a loop sending and receiving syslog messages. Basically it tries to send a syslog to the unavailable syslog server for every message it receives. It receives the ICMP host unreachable which fires off IDS signature 2001, which it then also tries to log to the syslog server, for which it receives another ICMP Unreachable, which it tries to log again, and so on and so on. It's relatively easy in this situation to spike the CPU on the PIX up high it goes crazy trying to log all those messages.

The easy workaround is just not to log those particular types of syslog messages, or turn off that IDS signature. One of the following two commands should do the trick for you:

ip audit signature 2001 disable

no logging message 400011

If this isn't your problem, then you need to give us more information about exactly what "overloading the corporate network" means?

markbowman
Level 1
Level 1
In response to gfullage

‎04-11-2006 11:36 AM

That is exactly our problem. We only stumbled across this problem when I was trying Kiwi syslog on my laptop. I guess there is no way to have the messages disabled/turned off ONLY when this problem occurs? Or if the address for the syslog is not available, don't send logs? Anything like this?

0 Helpful

dondongamo
Level 1
Level 1
In response to gfullage

‎04-18-2006 03:23 AM

Hi

Could you tell us the url link for this issue enabling IDS on unavailable syslog server might impact the PIX performance

Thanks

0 Helpful

dondongamo
Level 1
Level 1
In response to gfullage

‎04-19-2006 05:37 AM

I didn't get any reply from my previous message about the url link so here my question what if the given below logging commands did not give any syslog server will enabling IDS still impact the pix performance ?

logging enable

logging timestamp

logging buffered debugging

logging trap debugging

logging queue 1024

Pls advise. TIA

0 Helpful

jbrunner007
Level 1
Level 1
In response to dondongamo

‎04-24-2006 05:35 AM

why not just put

no ip unreachables

on the router interface facing the pix ?

Why not lop the problem off at the source ?

0 Helpful
Customers Also Viewed These Support Documents