cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
31925
Views
63
Helpful
19
Replies

What does 'link down" mean when viewing output of sh logging for a specific logging to server?

fatboyinva
Level 1
Level 1

On a 3560 I have (2) syslog servers defined. Both are up and operational and reachable via ping from the switch.  However on the second defined logging server on the output of the sh logging command it states a "link down" (see below for command output).  This syslog server is not receiving any syslog traps defined.  The logging defined is logging trap warnings.  I have verified trap messages are in the log output at the defined severity level and above(error/critical).  My assumption is that the link down has something to do with why no syslog is being sent to this server. 

   Logging to x.x.x.x  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link up),
              225 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled
        Logging to x.x.x.x  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link down),
              0 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled

thanks,

james

19 Replies 19

Jon Marshall
Hall of Fame
Hall of Fame

fatboyinva wrote:

On a 3560 I have (2) syslog servers defined. Both are up and operational and reachable via ping from the switch.  However on the second defined logging server on the output of the sh logging command it states a "link down" (see below for command output).  This syslog server is not receiving any syslog traps defined.  The logging defined is logging trap warnings.  I have verified trap messages are in the log output at the defined severity level and above(error/critical).  My assumption is that the link down has something to do with why no syslog is being sent to this server. 

   Logging to x.x.x.x  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link up),
              225 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled
        Logging to x.x.x.x  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link down),
              0 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled

thanks,

james

James

You assumption is correct. For some reason the switch thinks that the second syslog server is not working hence the reason it doesn't send any messages.

I know you said you could ping it but can you confirm that the syslog service is actually up and running on the 2nd server and that there is filtering either

1) on the syslog server itself

2) along the path from the switch to the syslog server that is denying udp port 514

Jon

Jon,

To answer your questions:

  1) Syslog is running on the server.  The windows server is running Kiwi/Solarwinds.  When I do a netstat -an I see udp 514 listening:

UDP    0.0.0.0:514           *:*

I am also receiving other syslog data from Cisco switches on this syslog server. In addition windows firewall is turned off.

2) The only device between this Cisco 3560 and the syslog server is another Cisco switch (distribution switch).  No firewall or other blocking device exists in addition to any access lists.  Here's a sample traceroute;

Type escape sequence to abort.
Tracing the route to (x.x.x.x)

  1 x.x.x x msec 0 msec 0 msec
  2 (x.x.x.x) 9 msec 0 msec 0 msec

thanks for your reply.

Hi Folks

Good Afternoon

I am facing the same issue as describe above with a few 4948's switches. I was wondering if any solution was found?

many thanks

Hello,

I did not find a fix, but the resolution in our case was to reload the switch.  That seemed to clear the ip sockets table.   Also, a helpful command that was used is sh ip sockets.  Here is a sample output:

Proto    Remote      Port      Local      Port     In Out Stat  TTY OutputIF
17     --listen--                  1.2.1.41    1975   0   0     11     0
17     0.0.0.0             0     1.2.1.41      67     0   0    2211   0
17     0.0.0.0             0     1.2.1.41    2228    0   0    211    0
17     10.1.1.1        60059  1.2.1.41     161    0   0    1       0
17   --listen--                     1.2.1.41     162    0   0   11      0
17   --listen--                     1.2.1.41   60380   0   0    1       0
17   --listen--          --any--                  161    0   0   20001  0
17   --listen--          --any--                  162    0   0   20011  0
17   --listen--          --any--                 64379  0   0   20001  0
17   --listen--                   1.2.1.41     123   0  0  1   0
17   172.17.9.2      514    1.2.1.41      58781   0   0  400201  0
17   172.17.8.2      514    1.2.1.41      55647   0   0  400201  0

thanks,

james

thanks James I will try it.

Thanks again for that I do appreciate.

Rommel

On Wed, Jun 23, 2010 at 9:18 PM, jawill47ec <

Probably poor form to wake this up from many years ago, but we found today that turning off syslog and turning it back on (after confirming routes are OK) also reset this functionality - tested on a 3750. (It could have been the trap level as well, we changed this at the same time).

Commands:

# no logging trap warnings

# logging trap informational

 

Not at all, this solution worked for us. Thank you for posting!

Thank you!  This worked for us on a 6509E.

This is still a current solution!  Used it this morning on a pair of ASR1006 routers.  Many thanks.

Not applicable

Worked for me for our IE2000s. Changing the logging level is what did it. Changed it to informational the link came up. Changed it back to warning and the link stayed up. 

I am using IBM Qrador , I was not able to send logs after command i am getting logs 

 

no logging trap warnings
logging trap informational

 

thanks again for the solution

i am using IBM Qrador, Can you send full configuration ?

Thanks 

Thank you sir, this worked!

Hey, worked liked a charm, thanks, better late then never.

Review Cisco Networking for a $25 gift card