02-28-2003 12:18 PM - edited 02-20-2020 10:35 PM
Hi there,
I ran into specific problem with new PIX 515 that we purchased to replace old Netscreen. The problem is pretty known: message on PIX "PIX is not accepting new connections". The solution is also known: go and fix your syslog server (if it's configured on PIX). I did have syslog configured and after fixing the server everything became functioning properly.
The real question is why create such dependencies?
My understanding is if for some reasons (core dump, reboot of syslog server, etc.) syslog server is not responding, then whole network is screwed because PIX is no longer accepting new connections. Neither DMZ nor VPN won't work.
Is there any explanation of this? Especially if PIX had been configured to send messages over UDP. And is there any solution to avoid this problem (besides do not configure syslog).
Thank you!
--ivan
02-28-2003 12:29 PM
To avoid this don't specify that the message should be sent to the syslog server through the TCP port. Use UDP then you won't have this issue.
From a previous post, the reason TCP does this is "because the Pix has been configure to send the message with information pertaining to the connections being made. If it can't send the messages it won't allow new connections until it can record the infomation about the connections again. This only happens with TCP cofigured because of the way TCP works. The Pix has to receive the SYN ACK from the syslog server in order to send the messages. With UDP beign connectionless, the Pix just records the infomation and sends the messages not caring whether or not the server is responding."
Hope it helps.
Steve
02-28-2003 12:32 PM
Steve,
Ok. I saw that previous post. But. I specially indicate that PIX has been initially configured for UDP. That what confused me.
Thank you!
Ivan
02-28-2003 12:31 PM
The reason is for security. In high security environments, its preferable that no traffic be transmitted rather than traffic not logged. This prevents malicious users from disabling syslog servers to hide their traces after they've penetrated.
It is not a requirement however. The pix only does this when syslogging with TCP and not UDP. UDP is connectionless and the Pix has no idea if the message was received or not; therefore traffic is not interupted when the syslog server is unavailable. UDP is the default.
What version of software are you running? You should be using the [logging] command and not the [syslog] command.
logging host inside 10.1.1.1
This will use UDP and port 514 by default. Traffic will not be interrupted.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: