Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
321
Views
3
Helpful
2
Replies

PIX syslog paradox

mbalasubramanian
Level 1
Level 1

‎02-07-2006 08:48 AM - edited ‎02-21-2020 12:41 AM

We have a pix 515E pix fos ver 7 configured to syslog to 2 hosts on trap level info.We have noticed whenever any one syslog is stopped...and do a icmp debug trace..the pix is found to be receiving icmp voluminous destination unreachable from the syslog server which is down and the other syslog hosts register icmp type code 3 from the downed syslog server hitting the pix interface.This maked our PIX util peak to 99%

Does this mean PIX keeps

1)ICMP keepalives with every syslog hosts

2)And how is it when one syslog server is down the other syslog server registers icmp type 3 code requests from the syslog server whcih has been downed in such voluminous quantities that the PIX is overwhelmed

Normal syslog udp is being used in this setup , as soon as we drop the logging to warning..the problem disappears

Pls advise

0 Helpful
2 Replies 2

mheusinger
Level 10
Level 10

‎02-07-2006 10:57 AM

Hello,

have you had a look at the number of syslog messages from the PIX and the content? Each syslog message and each ICMP message to the PIX have to be processed, many of them and you might have high CPU utilization.

I am assuming, that for each syslog message sent to the downed server you get a port unreachable back to the PIX. This means roughly twice the amount of CPU utilization compared to no ICMP (server nod being down). Are you sure about the ICMP message being really destination unreachable? Then I would assume a router to be the source of them. The PIX does not use ICMP keepalives with syslog servers, afaik.

Changing the logging level should simply reduce the number of messages logged and therefore reduce the CPU load. In case you do not need the info level messages this would be the recommendation - do not log, what you are not using in some way, it will only waste ressources like CPU in the PIX.

Hope this helps! Please rate all posts.

Regards, Martin

mpalardy
Level 3
Level 3

‎02-08-2006 06:50 AM

We had the same problem here when syslog server or snmp-server (trap) went under maintenance.

This command on the pix solved the issue.

icmp permit host _ip_server_ unreachable inside

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1026574

HTH

Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card