Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
272
Views
5
Helpful
2
Replies

Problem with Pix525 using Syslog Server Kiwi

gclavadetscher
Level 1
Level 1

‎10-11-2002 01:01 AM - edited ‎03-09-2019 12:38 AM

Hi,

I tried yesterday to send log on a Kiwi Server on a DMZ, on port TCP 1468.

First I didn't get any message then the PIX stopped to allow any connection ->

I got the message (on pix, buffer), PIX Disallow any connection, I had to stop the syslog service (trap) and reboot the PIX.

Had someone the same Problem and how did he fix it?

Thanks, Gael

Labels:
0 Helpful
2 Replies 2

jekrauss
Level 1
Level 1

‎10-11-2002 03:59 AM

Hi Gael,

You should NOT be using TCP for sending syslogs. TCP syslogging is only used with the PFSS syslog server and is designed for those users who want their PIX to stop passing traffic if connectivity is lost to the syslog server.

Consequently, you will probably want to change your logging to udp.

logging host

Here's an excerpt of the relevant documentation on the pix logging command, as well as a link:

Logging

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.htm#xtocid15

Usage Guidelines

If you are using TCP as the logging transport protocol, the PIX Firewall stops passing traffic as a security measure if any of the following error conditions occur: the PIX Firewall is unable to reach the syslog server; the syslog server is misconfigured (such as with PFSS, for example); or the disk is full. (UDP-based logging does not prevent the PIX Firewall from passing traffic if the syslog server fails.)

To enable the PIX Firewall to pass traffic again, do the following:

--------------------------------------------------------------------------------

Step 1 Identify and correct the syslog server connectivity, misconfiguration, or disk space error condition.

Step 2 Enter the command logging host inside 10.1.1.1 tcp/1468 to enable the logging again.

Alternately, you can change the logging to default logging on UDP/514 by issuing the command logging host inside 10.1.1.1. UDP-based logging passes traffic even if the syslog server fails.

HTH

Jeff

gclavadetscher
Level 1
Level 1
In response to jekrauss

‎10-11-2002 04:21 AM

Hi

Well I'm now using the 3CDaemon (3cdv2r10.zip ) from 3Com. Who's also freeware:

-> http://www.3com.com/products/en_US/result.jspselected=3&sku=3C16951-US&sort=effdt&order=desc

(not better then Kiwi but has ftp,tftp server inclusiv)

And as you told me, I change to udp 514.

It's look to work much better...

Thanks for the advice.

Gael

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents