Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
320
Views
0
Helpful
3
Replies

Pix and Syslog

mgaysek
Level 1
Level 1

‎10-31-2005 05:35 AM - edited ‎02-21-2020 12:29 AM

We have noticed that when the syslog server becomes unavailable that the pix generates large amounts of ICMP reverse path check errors. Can some one explain why this happens and if it can be prevented.

Thanks

marcus

0 Helpful
3 Replies 3

fzamora
Cisco Employee
Cisco Employee

‎10-31-2005 06:17 AM

Hi,

By disabling the syslog server, you are effectively DoSing the PIX.

PIX sends syslog message to Windows based syslogs server on UDP port 514.

Windows doesn't have a service listening on that port, so it sends back a port unreachable message. That ICMP message gets back to the PIX, where

"ip audit" is applied to the interface, causing the PIX to generate a syslog for the Unreachable message it got from the syslog server in response to the syslog that the PIX originaly sent it. Got it ;-0

The solution is to disable the logging of the ICMP unreachable message, or disable the audit command or removing the logging host command if the syslog server is unavailable.

I hope it helps.

Franco Zamora

0 Helpful

mgaysek
Level 1
Level 1
In response to fzamora

‎10-31-2005 06:58 AM

Great! thank you... does the same happen on unix based syslog servers?

0 Helpful

fzamora
Cisco Employee
Cisco Employee
In response to mgaysek

‎10-31-2005 07:40 AM

If the UNIX does not have a listening port, I assume the behavior will be the same.

Franco

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card