Yes - disabled/reenabled standby logging - no affect

Yes - I can ping the syslog server from the standby unit

Yes - all firewalls in path are open for UDP 514

I performed a quick google search for that bug you reference, and i received no results.  Have a link?

Hi Bruce,

I tried searching internally here and couldn't find much regarding this. In one issue, clear logging helped. Could you please do "clear logging" and see if starts sending the logs again? Do you also think you can possibly try and reload standby and see if that helps?

Is it a problem with single context or all contexts? I did find few cases in which only few contexts had problem and not all. The issue can also be due to contexts not guaranteed minimum resource.

Kindly check on these things and see if that resolves the issue. Configuration seems to good here.

Regards,

Kanwal

Kanwal,

I cant reload the standby.  seems to be some contexts are working, some are not.  example:  admin context, does not appear to be logging, but the user context is...same exact configuration.

Im beging to think this maybe a routing issue out of the ace...is there a mechanism for "sourcing" a specific interface for logging?

also, i'm not familiar with the resource guarantee you mention

The issue can also be due to contexts not guaranteed minimum resource.

thanks.

Let me pose another question.  Maybe i'm looking at this wrong.

So, with standby logging on, the documentation advises you are increasing the logging by twice as much with an HA pair...which makes sense.  both primary and standby units are logging.

so, maybe the better approach is to log only from the active unit (generally the primary).  but, that begs the question:

if standby logging is disabled, does that imply in a failover scenario, where the secondary unit assumes the role of active, does it then immediately begin logging to the syslog server?

If it does, then probably, the better approach is to keep standby logging disabled.

Bruce

Hi Bruce,

You are correct in your understanding. But please note that "standby" and "Active" probe real servers independently among other things. So standby can log messages related to events which are independent of ACTIVE like probe failure.

But yes, the standby after becoming ACTIVE should start logging immediately.

Regards,

Kanwal

ahhh...ok...so, possibly my thought about disabling standby logging may not be appropriate, since we would want to see failed probes and the like from the standby BEFORE a failover occurred...

do you know what best practice is? or is that simply based on your need?

appreciate your continued responses...

Hi Bruce,

Did you try clear logging? If not, i would suggest to do the same.

Please do "show logging statistics" in affected contexts and see if the counters like "host" are increasing. Also, please do "show logging queue" and see the below counter's value:

switch/Admin# show logging queue

        Logging Queue length limit : 80 msg(s), 8 msg(s) discarded.
        Current 0 msg on queue, 5 msgs most on queue

By default, logging queue would be 80. If you see it is 0 please increase it.

Also, do "show resource usage" in affected and look at the counter's highlighted below:

switch/Admin# show resource usage
                                                     Allocation
        Resource         Current       Peak        Min        Max       Denied
-------------------------------------------------------------------------------
Context: Admin
  conc-connections              0         42        100    8000000          0
  mgmt-connections              4       1630        100     100000          0
  proxy-connections             0         42          0    1048572          0
  xlates                        0          0          0    1048572          0
  bandwidth                   616     338973    2500000  625000016          0
    throughput                  0     207796    1250000  500000016          0
    mgmt-traffic rate         616     131177    1250000  125000000          0
  connection rate               0        706        100     600000          0
  ssl-connections rate          0          0          0      30000          0
  mac-miss rate                 0          1          0       2000          0
  inspect-conn rate             0          0          0     240000          0
  http-comp rate                0          0          0  786432000          0
  to-cp-ipcp rate               0        534          0       5000          0
  acl-memory                95136      97096          0   99579792          0
  sticky                        2          2          0    4194304          0
  regexp                        0          0          0    1048576          0
  syslog buffer                 0      29696          0    4194304          0
  syslog rate                   0          6          0     100000          0

If you see the last counter on right increasing then there is a resource problem. Also, do "show resource allocation" and see if you have any minimum resource guaranteed or not. Generally, if you don't any number in right-most column, you don't need to worry about resource crunch. But it is a good practice to have some minimum guaranteed to each context.

Coming to your question of sending logs from specific interface, i don't see any way of doing it. i guess it will send logs from the interface through which the syslog server is reachable. But you can always make the ACE to define the interface or hostname as a device-id to be included in the log messages it will send, even though the actual interface through which the log sent is different.

Regards,

Kanwal