I ran into specific problem with new PIX 515 that we purchased to replace old Netscreen. The problem is pretty known: message on PIX "PIX is not accepting new connections". The solution is also known: go and fix your syslog server (if it's configured on PIX). I did have syslog configured and after fixing the server everything became functioning properly.
The real question is why create such dependencies?
My understanding is if for some reasons (core dump, reboot of syslog server, etc.) syslog server is not responding, then whole network is screwed because PIX is no longer accepting new connections. Neither DMZ nor VPN won't work.
Is there any explanation of this? Especially if PIX had been configured to send messages over UDP. And is there any solution to avoid this problem (besides do not configure syslog).
To avoid this don't specify that the message should be sent to the syslog server through the TCP port. Use UDP then you won't have this issue.
From a previous post, the reason TCP does this is "because the Pix has been configure to send the message with information pertaining to the connections being made. If it can't send the messages it won't allow new connections until it can record the infomation about the connections again. This only happens with TCP cofigured because of the way TCP works. The Pix has to receive the SYN ACK from the syslog server in order to send the messages. With UDP beign connectionless, the Pix just records the infomation and sends the messages not caring whether or not the server is responding."
The reason is for security. In high security environments, its preferable that no traffic be transmitted rather than traffic not logged. This prevents malicious users from disabling syslog servers to hide their traces after they've penetrated.
It is not a requirement however. The pix only does this when syslogging with TCP and not UDP. UDP is connectionless and the Pix has no idea if the message was received or not; therefore traffic is not interupted when the syslog server is unavailable. UDP is the default.
What version of software are you running? You should be using the [logging] command and not the [syslog] command.
logging host inside 10.1.1.1
This will use UDP and port 514 by default. Traffic will not be interrupted.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :