We have a pix 515E pix fos ver 7 configured to syslog to 2 hosts on trap level info.We have noticed whenever any one syslog is stopped...and do a icmp debug trace..the pix is found to be receiving icmp voluminous destination unreachable from the syslog server which is down and the other syslog hosts register icmp type code 3 from the downed syslog server hitting the pix interface.This maked our PIX util peak to 99%
Does this mean PIX keeps
1)ICMP keepalives with every syslog hosts
2)And how is it when one syslog server is down the other syslog server registers icmp type 3 code requests from the syslog server whcih has been downed in such voluminous quantities that the PIX is overwhelmed
Normal syslog udp is being used in this setup , as soon as we drop the logging to warning..the problem disappears
have you had a look at the number of syslog messages from the PIX and the content? Each syslog message and each ICMP message to the PIX have to be processed, many of them and you might have high CPU utilization.
I am assuming, that for each syslog message sent to the downed server you get a port unreachable back to the PIX. This means roughly twice the amount of CPU utilization compared to no ICMP (server nod being down). Are you sure about the ICMP message being really destination unreachable? Then I would assume a router to be the source of them. The PIX does not use ICMP keepalives with syslog servers, afaik.
Changing the logging level should simply reduce the number of messages logged and therefore reduce the CPU load. In case you do not need the info level messages this would be the recommendation - do not log, what you are not using in some way, it will only waste ressources like CPU in the PIX.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :