Hi

yoann.wolf67 · ‎08-02-2016

Hello everyone,

I'm trying to deploy a new syslog server on my access switches.

This syslog server is behind load balancer (F5) and vip (virtual ip add) .

The udp port 514 is working on the server and everything shoud be properly configured, indeed one of my devices can send syslog to my server.

My network architecture is simple : access switches, then distribution switches and some routing devices but there is no firewall between my access devices and my syslog server.

The strange thing is that on my test switches, the link is up and when i check on my syslog server, I see many logs from my device whereas on my access switches, the link is down and we can't see any logs on the server.

Here is the output of a sh logging on one of my device which is not working :

        Logging to 10.80.18.69 (udp port 514, audit disabled,
              link down),
              0 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled

Here is the output of a sh logging on one of my device which is working :

        Logging to 10.80.18.69 (udp port 514, audit disabled,
              authentication disabled, encryption disabled, link up),
              4 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled

On these 2 devices, the configuration is strictly the same but I can't figure out why one of them is not working...

I just gave you an example, but I've this issue on a lot of devices in my LAN.

The first thing that I'd like to know is the process behind the link state. (Link up / link down for syslog server )

How could the switch know if the link is up or down ?

I did several traceroute, ping, wireshark on different spot and I saw nothing interesting.

Thank you,

Yoann

Mark Malone · ‎08-02-2016

Hi

can the switch ping the syslog server ok ?

if you bypass the load balancer does it work ok ?

yoann.wolf67 · ‎08-02-2016

I can ping the syslog server from devices

I tried by using the server ip add and not the vip, and I got the same result.

Mark Malone · ‎08-02-2016

is there a difference between the software versions on switch that is working and switch that is not

try turn off syslog then turn it bk on---no logging trap , the switch link down means the switch does not see it as a valid server currently , have you tried rebooting the switch as well , if its not server side issue it might be software in the switch if something is not blocking 514 between the 2 devices somewhere

reload will clear the sockets , check show ip sockets

yoann.wolf67 · ‎08-02-2016

Thank you for your reply.

I'll plan some test by using your advices.

In fact, we have more than 4 000 access switches. I hoped that the issue was on the syslog server, but as I said it before, there are several devices on which syslog server is working correctly. So I don't know it comes from the server... Sadly

Yoann

Mark Malone · ‎08-02-2016

Yes even though it may be working with some switches and not others I would still not rule out the server it may be specific software etc its working with and not others , add a small freeware syslog server to same location see if you face the same issues that will at least rule out your sever as well

good luck let me know how it goes when you have tested

Syslog server - link down