https://community.cisco.com/t5/network-security/pix-and-syslog/m-p/471914#M531204 <P>We have noticed that when the syslog server becomes unavailable that the pix generates large amounts of ICMP reverse path check errors. Can some one explain why this happens and if it can be prevented. </P><P>Thanks</P><P>marcus</P> Fri, 21 Feb 2020 08:29:48 GMT mgaysek 2020-02-21T08:29:48Z https://community.cisco.com/t5/network-security/pix-and-syslog/m-p/471914#M531204 <P>We have noticed that when the syslog server becomes unavailable that the pix generates large amounts of ICMP reverse path check errors. Can some one explain why this happens and if it can be prevented. </P><P>Thanks</P><P>marcus</P> Fri, 21 Feb 2020 08:29:48 GMT https://community.cisco.com/t5/network-security/pix-and-syslog/m-p/471914#M531204 mgaysek 2020-02-21T08:29:48Z https://community.cisco.com/t5/network-security/pix-and-syslog/m-p/471915#M531208 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>By disabling the syslog server, you are effectively DoSing the PIX.</P><P></P><P>PIX sends syslog message to Windows based syslogs server on UDP port 514.</P><P>Windows doesn't have a service listening on that port, so it sends back a port unreachable message. That ICMP message gets back to the PIX, where</P><P>"ip audit" is applied to the interface, causing the PIX to generate a syslog for the Unreachable message it got from the syslog server in response to the syslog that the PIX originaly sent it. Got it ;-0</P><P></P><P>The solution is to disable the logging of the ICMP unreachable message, or disable the audit command or removing the logging host command if the syslog server is unavailable.</P><P></P><P>I hope it helps.</P><P></P><P>Franco Zamora</P></BODY></HTML> Mon, 31 Oct 2005 14:17:55 GMT https://community.cisco.com/t5/network-security/pix-and-syslog/m-p/471915#M531208 fzamora 2005-10-31T14:17:55Z https://community.cisco.com/t5/network-security/pix-and-syslog/m-p/471916#M531210 <HTML><HEAD></HEAD><BODY><P>Great! thank you... does the same happen on unix based syslog servers?</P></BODY></HTML> Mon, 31 Oct 2005 14:58:41 GMT https://community.cisco.com/t5/network-security/pix-and-syslog/m-p/471916#M531210 mgaysek 2005-10-31T14:58:41Z https://community.cisco.com/t5/network-security/pix-and-syslog/m-p/471917#M531212 <HTML><HEAD></HEAD><BODY><P>If the UNIX does not have a listening port, I assume the behavior will be the same.</P><P></P><P>Franco</P><P></P></BODY></HTML> Mon, 31 Oct 2005 15:40:29 GMT https://community.cisco.com/t5/network-security/pix-and-syslog/m-p/471917#M531212 fzamora 2005-10-31T15:40:29Z