02-16-2007 01:58 PM - edited 03-11-2019 02:34 AM
Hello,
One of my firewalls hung and stopped VPN from working. Rebooting the firewall resolved the issue.
Is there a method on how I can tell what caused this? syslog is enabled but i'm not sure where the messages and logs are being transferred to because someone else configured this. Anyone know how I can figure this info out?
I also noticed a graphical interface. How is this viewed and configured?
http://www.ciscopress.com/content/images/chap09_1587051583/elementLinks/fig03.jpg
Thanks
02-16-2007 10:31 PM
hello danny,
you should install a syslog application e.g solarwind syslog or kiwi syslog both has different fearture but severs the purpose of syslog application well enough.
then log into your pix config mode and write these command
#logging host inside >you syslog system ip<
#logging trap informational or debugging
#logging on
this will make the pix forward all logging messages to your syslog machine and later you can analyis what's causing the issue.
HTH, please rate it
02-17-2007 05:45 AM
thanks for the response
If I issue the show logging command, it gives me some info but not much is helpful. On the first line is says syslog enabled.
How can I view the syslog logs? I never setup the firewall so i'm not sure how the person configured it.
Thanks
02-17-2007 11:27 AM
thats only the internal log buffer which is small. To capture the output, set up the syslog program mentioned above on a computer / server, make sure udp 514 is open and issue:
logging host inside (ip of syslog svr)
logging timestamp
logging trap (level)
where level is info or debug.
This will give you plenty of log info
02-17-2007 09:34 PM
thanks for the reply
when I issue sh logging, it shows syslog enabled already.
Someone may have configured this on the firewall already. Is there any methods on how to figure out where the syslog program is outputing to?
Thanks again.
02-17-2007 09:40 PM
hello,
did you installed and configued the pix as how i explained above?
are you saying you still cannot see the logs in your syslog application?
02-18-2007 06:26 AM
I will have to try it on Monday.
My concern is that someone has already configured it. When I issue the sh logging command it's telling me that syslog is enabled. What can that mean? I'm starting to assume that it's already generating logs but i'm not sure where they're output to.
If I install the syslog app, won't it capture errors going forward? I'm trying to figure out what caused the firewall to kill the vpn on Friday.
02-20-2007 07:38 AM
On the output of the "show logging" command you should see something like this:
========================
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level notifications, 233423171 messages logged
Trap logging: level notifications, 31732377 messages logged
Logging to outside 1.2.3.4
History logging: level errors, 4034648 messages logged
========================
The key line above is the "Logging to outside 1.2.3.4" which says you have an external syslog server configured. If you don't have something similar to this (note that the "outside" is referring to the interface you are sending logs to - yours would probably show "inside") then you are only logging to the internal buffer as someone else has mentioned.
Get Kiwi and follow their instructions for setting up syslog - they have pretty good instructions for getting it to work on a PIX.
Good luck!
Scott
02-20-2007 08:03 AM
okay, I full understand now.
I have been speaking with someone in regards to this firewall and they stated that the memory becomes full and must be rebooted once per month.
Is there a way where I can list this information (total memory size, how much memory is being used, etc)
I know the syslog just gives you traffic information but I don't think it will give information related to the memory.
Thanks
02-20-2007 08:20 AM
You can do a "show memory" command:
show mem
Free memory: 183018200 bytes
Used memory: 85417256 bytes
------------- ----------------
Total memory: 268435456 bytes
If the firewall is running out of memory and must be rebooted, you have a significant problem. I have not seen or heard of anything like that. What version of PIXOS are you running?
02-20-2007 01:40 PM
thanks for the response. I will have to issue this command the next time I run in to a problem. It's got 49405952 bytes free right now out of 67108864.
Here is the firewall info:
Cisco pix version 6.1(2)
Cisco pix device manager version 1.1(2)
02-20-2007 02:19 PM
If you are running ipsec, there is an issue in your version regarding a memory leak. It is bug # CSCdw38189 - see link below.
http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdw38189%20
If the PIX crashes (reboots) you could attach a PC to the console of the FW and capture the console output (tracebacks) when the PIX reboots.
Also, the same technique can be used to make sure when it does reboot, there are no other errors showing up.
02-20-2007 02:22 PM
Regarding the GUI you show in the link - that is using a tool called Sawmill (http://www.sawmill.net) to analyze a log file.
You might download an eval copy to see if it works for you.
Good luck - Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide