Cisco Support Community

The FWSM blocks all traffic after TCP syslog is enabled. It only permits traffic after a reboot

What is Syslog?

Syslog is a protocol that allows a machine to send event notification messages across IP networks to event message collectors - also known as Syslog Servers or Syslog Daemons. In other words, a machine or a device can be configured in such a way that it generates a Syslog Message and forwards it to a specific Syslog Daemon (Server).

Syslog messages are based on the User Datagram Protocol (UDP) type of Internet Protocol (IP) communications. Syslog messages are received on UDP port 514. Syslog message text is generally no more than 1024 bytes in length. Since the UDP type of communication is connectionless, the sending or receiving host has no knowledge receipt for retransmission. If a UDP packet gets lost due to congestion on the network or due to resource unavailability, it will simply get lost

Format of a Syslog Packet

The full format of a Syslog message seen on the wire has three ditinct parts.

  • PRI
  • MSG.

The total length of the packet cannot exceed 1,024 bytes, and there is no minimum length

Core issue

Firewall Service Modules (FWSM) are designed to prevent new connections from being established if TCP syslog is enabled, and the syslog server is not available. This design ensures that audit requirements are met, and that all traffic is logged.


To resolve this problem, perform either of these solutions:

  • Use User Data Protocol (UDP) syslog instead of TCP syslog.
  • Use FWSM version 3.1 or later, and issue the logging permit-hostdown command to specify that the FWSM must allow new network access sessions.


Syslog Server