10-31-2005 05:35 AM - edited 02-21-2020 12:29 AM
We have noticed that when the syslog server becomes unavailable that the pix generates large amounts of ICMP reverse path check errors. Can some one explain why this happens and if it can be prevented.
Thanks
marcus
10-31-2005 06:17 AM
Hi,
By disabling the syslog server, you are effectively DoSing the PIX.
PIX sends syslog message to Windows based syslogs server on UDP port 514.
Windows doesn't have a service listening on that port, so it sends back a port unreachable message. That ICMP message gets back to the PIX, where
"ip audit" is applied to the interface, causing the PIX to generate a syslog for the Unreachable message it got from the syslog server in response to the syslog that the PIX originaly sent it. Got it ;-0
The solution is to disable the logging of the ICMP unreachable message, or disable the audit command or removing the logging host command if the syslog server is unavailable.
I hope it helps.
Franco Zamora
10-31-2005 06:58 AM
Great! thank you... does the same happen on unix based syslog servers?
10-31-2005 07:40 AM
If the UNIX does not have a listening port, I assume the behavior will be the same.
Franco
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide