Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 515e and syslog

Hi there,

I ran into specific problem with new PIX 515 that we purchased to replace old Netscreen. The problem is pretty known: message on PIX "PIX is not accepting new connections". The solution is also known: go and fix your syslog server (if it's configured on PIX). I did have syslog configured and after fixing the server everything became functioning properly.

The real question is why create such dependencies?

My understanding is if for some reasons (core dump, reboot of syslog server, etc.) syslog server is not responding, then whole network is screwed because PIX is no longer accepting new connections. Neither DMZ nor VPN won't work.

Is there any explanation of this? Especially if PIX had been configured to send messages over UDP. And is there any solution to avoid this problem (besides do not configure syslog).

Thank you!

--ivan

3 REPLIES

Re: PIX 515e and syslog

To avoid this don't specify that the message should be sent to the syslog server through the TCP port. Use UDP then you won't have this issue.

From a previous post, the reason TCP does this is "because the Pix has been configure to send the message with information pertaining to the connections being made. If it can't send the messages it won't allow new connections until it can record the infomation about the connections again. This only happens with TCP cofigured because of the way TCP works. The Pix has to receive the SYN ACK from the syslog server in order to send the messages. With UDP beign connectionless, the Pix just records the infomation and sends the messages not caring whether or not the server is responding."

Hope it helps.

Steve

New Member

Re: PIX 515e and syslog

Steve,

Ok. I saw that previous post. But. I specially indicate that PIX has been initially configured for UDP. That what confused me.

Thank you!

Ivan

Silver

Re: PIX 515e and syslog

The reason is for security. In high security environments, its preferable that no traffic be transmitted rather than traffic not logged. This prevents malicious users from disabling syslog servers to hide their traces after they've penetrated.

It is not a requirement however. The pix only does this when syslogging with TCP and not UDP. UDP is connectionless and the Pix has no idea if the message was received or not; therefore traffic is not interupted when the syslog server is unavailable. UDP is the default.

What version of software are you running? You should be using the [logging] command and not the [syslog] command.

logging host inside 10.1.1.1

This will use UDP and port 514 by default. Traffic will not be interrupted.

463
Views
4
Helpful
3
Replies
CreatePlease login to create content