Solved: Re: syslog to 2nd server doesn't work

aruzsinszky · ‎08-09-2008

Hi,

sh logg:

Syslog logging: enabled (1 messages dropped, 1 messages rate-limited,

0 flushes, 0 overruns, xml disabled, filtering disabled)

Console logging: level debugging, 2465 messages logged, xml disabled,

filtering disabled

Monitor logging: level debugging, 0 messages logged, xml disabled,

filtering disabled

Buffer logging: level debugging, 2465 messages logged, xml disabled,

filtering disabled

Logging Exception size (4096 bytes)

Count and timestamp logging messages: disabled

No active filter modules.

Trap logging: level debugging, 2469 message lines logged

Logging to 192.168.1.10 (udp port 514, audit disabled), 2469 message lines logged, xml disabled,

filtering disabled

Logging to 192.168.1.252 (udp port 514, audit disabled), 0 message lines logged, xml disabled,

filtering disabled

sh ver:

C1700 Software (C1700-IPBASE-M), Version 12.4(1a), RELEASE SOFTWARE (fc2)

On previous versions IOS it works!

What is the trick?

TIA,

Ruzsi

Joe Clarke · ‎08-09-2008

This is due to bug CSCsa87733. You will need to upgrade to 12.4(2) or higher to get the fix.

View solution in original post

Joe Clarke · ‎08-09-2008

This is due to bug CSCsa87733. You will need to upgrade to 12.4(2) or higher to get the fix.

aruzsinszky · ‎08-09-2008

I thought it but I wasn't sure.

Now I'm testing the config in dynamips.

Thanks,

Ruzsi

aruzsinszky · ‎08-22-2008

Hi,

Does PIX 6.3.5 suffer from this problem, too?

I've no luck with more than only one syslog server.

TIA,

Ruzsi

Joe Clarke · ‎08-22-2008

This bug is for IOS only. I couldn't find a PIX bug for this symptom. I did find an indication that multiple syslog destinations do work in 6.3, but I didn't see a specific 6.3 release.

aruzsinszky · ‎08-22-2008

Thanks for your prompt answer!

The problem somewhere other side because I can't ping the new syslog server. I don't know why.

They are in the same segment so now I've got no ideas. :-(

aruzsinszky · ‎08-22-2008

Can you tell me what thought PIX about the next MAC: 00:00:00:00:00:00?

It is the MAC of the syslog server!

Other machines (PCs, 2 SUN WSs, etc) work perfectly with that funny MAC.

TIA,

Ruzsi

Joe Clarke · ‎08-22-2008

Is the PIX sending a packet with a source MAC of 00:00:00:00:00:00 or is this the MAC being reported by the syslog server?

aruzsinszky · ‎08-22-2008

This is the MAC of syslog server.

Joe Clarke · ‎08-22-2008

Then it sounds like you have a bad NIC in that server. Try replacing it.

aruzsinszky · ‎08-23-2008

Not really.

Every machine can communicate with that PC except Cisco PIX 501. Even a Cisco 1721 router!

I know this MAC address not the best ...

Joe Clarke · ‎08-23-2008

Why are you using the MAC. It's generally considered invalid as it is used things such as in ARP packets, and some of our devices will complain if they see packets sourced from such a MAC. A NIC claiming to have such a MAC is either broken or did not get a proper MAC burned into at the factory. If you can't replace the NIC, try changing the MAC in software.

aruzsinszky · ‎08-23-2008

I think you know the source of my problem: my motherboard forgot its MAC which was burned into at factory.

I will change it but now the PC is a firewall, too, so not to easy just put into down state. And it is not trivial I can change from software (OpenSUSE 10.3). I found some instructions on the Net. So I change it ASAP.

I don't understand why my PIX hates at all this address if SUN ws (and other LAN devices) work happily.

I'm not sure this is the problem with PIX. But maybe ...

aruzsinszky · ‎08-23-2008

My problem was solved.

I sshed from the outside interface of my bad MAC PC and ifconfig command changed the MAC address successfully.

PIX can able to send syslog messages to this server, too.

Thanks!