Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

logging trap informational - PIX crashes 3

Status
Not open for further replies.
ErrolDC

ErrolDC

MIS
May 26, 2004
72
US
Hi. I'm trying to figure out why my PIX stops routing traffic after a while when I have it logging to a syslog server.

Here is my config..
Code: 
Cisco PIX Firewall Version 6.3(1)
Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 19-Mar-03 11:49 by morlee

DFIN-515E up 33 mins 58 secs

Hardware:   PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : Crypto5823 (revision 0x1)
0: ethernet0: address is 000f.24dc.9f5f, irq 10
1: ethernet1: address is 000f.24dc.9f60, irq 11
Licensed Features:
Failover:           Enabled
VPN-DES:            Enabled
VPN-3DES-AES:       Enabled
Maximum Interfaces: 6
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       Unlimited
Throughput:         Unlimited
IKE peers:          Unlimited

This PIX has an Unrestricted (UR) license.

Serial Number: XXXXXXX
Running Activation Key: XXXXXXX
Configuration last modified by enable_15 at 16:43:41.352 EST Thu Feb 17 2005

PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXX encrypted
passwd XXXX encrypted
hostname DFIN-515E
domain-name XXXX.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_out deny tcp any any eq 135
access-list acl_out deny tcp any any eq 445
access-list acl_out deny udp any any eq netbios-ns
access-list acl_out permit tcp any host xx.xxx.xxx.xxx eq smtp
access-list acl_out permit tcp any host xx.xxx.xxx.xxx eq www
access-list acl_out permit tcp any host xx.xxx.xxx.xxx eq https
access-list acl_out permit tcp any host xx.xxx.xxx.xxx eq 4343
access-list acl_out permit icmp any any echo-reply
access-list acl_in permit ip any any
pager lines 24
logging on
logging trap informational
logging host inside 172.16.101.106 6/1468
mtu outside 1500
mtu inside 1500
ip address outside xx.xxx.xxx.xxx 255.255.255.240
ip address inside 172.16.3.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 172.16.3.100 255.255.255.255 inside
pdm location 172.16.101.59 255.255.255.255 inside
pdm location 172.16.101.65 255.255.255.255 inside
pdm location 172.16.101.0 255.255.255.0 inside
pdm location 172.16.3.13 255.255.255.255 inside
pdm location 172.16.3.128 255.255.255.255 inside
pdm location 172.16.3.20 255.255.255.255 inside
pdm location 172.16.101.81 255.255.255.255 inside
pdm location 172.16.101.164 255.255.255.255 inside
pdm location 172.16.101.95 255.255.255.255 inside
pdm location 172.16.101.106 255.255.255.255 inside
pdm history enable
arp timeout 600
global (outside) 1 xx.xxx.xxx.xxx netmask 255.255.255.240
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xxx.xxx.xxx 172.16.3.128 netmask 255.255.255.255 0 0
static (inside,outside) xx.xxx.xxx.xxx 172.16.3.20 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xxx 255
route inside 172.16.101.0 255.255.255.0 172.16.3.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.16.101.0 255.255.255.0 inside
http 172.16.101.65 255.255.255.255 inside
http 172.16.3.0 255.255.255.0 inside
snmp-server host inside 172.16.101.164 poll
snmp-server host inside 172.16.101.81 poll
snmp-server host inside 172.16.101.95 poll
snmp-server host inside 172.16.3.1 poll
no snmp-server location
no snmp-server contact
snmp-server community xxxxxxx
snmp-server enable traps
floodguard enable
telnet 172.16.3.0 255.255.255.0 inside
telnet 172.16.101.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:00000000000000000000000000000000
: end

It seems to happen when it cannot reach my syslog server (when i restart it). Has anyone seen something like this before? I know that debug all can kill an underpowered, busy router. I've never experienced any of these issues however with the PIX.

Errol
 
Sort by date Sort by votes
That's right! You are logging using TCP:

logging host inside 172.16.101.106 6/1468

so when your syslog server is unreachable the PIX will inevitably crash. The reason is TCP is a connection oriented protocol, so the PIX expects an acknowlegment from the server whenever it sends a syslog message. Since it never recieves any acknowledgment, while the server is unreachable, the PIX is basically DOS attacking itself. The best solution is to configure your server to listen on UDP and configure the PIX to send syslogs using UDP instead.
 
Upvote 0 Downvote
So what config line would be for UDP?
It can't be the same just different port # can it?

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
The PIX by default uses UDP port 514, this means you don't need to specify anything is the defaults will be used:

logging host inside 10.10.10.5

will send syslog messages to server 10.10.10.5 which is off the inside interface.

If your server listens on a different udp port (say 5000), then you need to specify it:

logging host inside 10.10.10.5 17/5000
 
Upvote 0 Downvote
Also, you might want to add this line...

no logging message 400011

This command tells the PIX not to log messages about the syslog server being down when it is done...

I had a problem where the syslog would run out of space, then the PIX would fill it's logging buffered and slow down since it kept looping on the syslog server being down.

I.E.

Syslog server is full or down.
PIX notices, and generates an error
PIX syslog information will try to record that error
PIX notices syslog server is down (trying to write first syslog server down error)
*Loop*
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
191
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
248
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
397
quazimotto
quazimotto
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
180
quazimotto
quazimotto
hall5942
  • Locked
  • Question
Site to Site VPN with Cisco 881 and PIX
Replies
0
Views
163
hall5942
hall5942

Part and Inventory Search

Sponsor

Back
Top