https://community.cisco.com/t5/network-security/pix-syslog-paradox/m-p/543969#M527827 <HTML><HEAD></HEAD><BODY><P>We had the same problem here when syslog server or snmp-server (trap) went under maintenance. </P><P></P><P>This command on the pix solved the issue.</P><P>icmp permit host _ip_server_ unreachable inside</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1026574" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1026574</A></P><P></P><P>HTH</P><P>Mike</P></BODY></HTML> Wed, 08 Feb 2006 14:50:56 GMT mpalardy 2006-02-08T14:50:56Z https://community.cisco.com/t5/network-security/pix-syslog-paradox/m-p/543967#M527825 <P>We have a pix 515E pix fos ver 7 configured to syslog to 2 hosts on trap level info.We have noticed whenever any one syslog is stopped...and do a icmp debug trace..the pix is found to be receiving icmp voluminous destination unreachable from the syslog server which is down and the other syslog hosts register icmp type code 3 from the downed syslog server hitting the pix interface.This maked our PIX util peak to 99% </P><P></P><P>Does this mean PIX keeps </P><P></P><P>1)ICMP keepalives with every syslog hosts</P><P></P><P>2)And how is it when one syslog server is down the other syslog server registers icmp type 3 code requests from the syslog server whcih has been downed in such voluminous quantities that the PIX is overwhelmed</P><P></P><P>Normal syslog udp is being used in this setup , as soon as we drop the logging to warning..the problem disappears</P><P></P><P>Pls advise</P> Fri, 21 Feb 2020 08:41:52 GMT https://community.cisco.com/t5/network-security/pix-syslog-paradox/m-p/543967#M527825 mbalasubramanian 2020-02-21T08:41:52Z https://community.cisco.com/t5/network-security/pix-syslog-paradox/m-p/543968#M527826 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>have you had a look at the number of syslog messages from the PIX and the content? Each syslog message and each ICMP message to the PIX have to be processed, many of them and you might have high CPU utilization.</P><P></P><P>I am assuming, that for each syslog message sent to the downed server you get a port unreachable back to the PIX. This means roughly twice the amount of CPU utilization compared to no ICMP (server nod being down). Are you sure about the ICMP message being really destination unreachable? Then I would assume a router to be the source of them. The PIX does not use ICMP keepalives with syslog servers, afaik.</P><P>Changing the logging level should simply reduce the number of messages logged and therefore reduce the CPU load. In case you do not need the info level messages this would be the recommendation - do not log, what you are not using in some way, it will only waste ressources like CPU in the PIX.</P><P></P><P>Hope this helps! Please rate all posts.</P><P></P><P>Regards, Martin</P></BODY></HTML> Tue, 07 Feb 2006 18:57:57 GMT https://community.cisco.com/t5/network-security/pix-syslog-paradox/m-p/543968#M527826 mheusinger 2006-02-07T18:57:57Z https://community.cisco.com/t5/network-security/pix-syslog-paradox/m-p/543969#M527827 <HTML><HEAD></HEAD><BODY><P>We had the same problem here when syslog server or snmp-server (trap) went under maintenance. </P><P></P><P>This command on the pix solved the issue.</P><P>icmp permit host _ip_server_ unreachable inside</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1026574" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1026574</A></P><P></P><P>HTH</P><P>Mike</P></BODY></HTML> Wed, 08 Feb 2006 14:50:56 GMT https://community.cisco.com/t5/network-security/pix-syslog-paradox/m-p/543969#M527827 mpalardy 2006-02-08T14:50:56Z