Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
992
Views
5
Helpful
7
Replies

Syslog Configuration.

Go to solution
shahinmadambi585
Level 1
Level 1

‎05-09-2022 10:21 PM

Hi,

 

Product : C9800-L-F-K9

IOS Version : 17.3.3 (Amsterdam) 


We want to configure syslog forwarding using TCP.
We want to enable blocking of TCP connections for syslog forwarding IF the syslog server destination is down.

 

Question:
We want to check if this command is supported in our WLC?
logging permit-hostdown (Command taken from Cisco ASA)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rich R
VIP
VIP
In response to shahinmadambi585

‎05-17-2022 08:08 AM

NO! 

 

That is a firewall security logging requirement feature - nothing to do with devices hanging.

The WLC is NOT a firewall.

If you want your connections logged with that feature they will have to be routed through an ASA firewall to do that logging.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

7 Replies 7

Go to solution
ammahend
VIP
VIP

‎05-09-2022 11:30 PM - edited ‎05-09-2022 11:39 PM

That command is not on 9800, but you can set a custom port for syslog (only via cli)

loggin host <IP Address> transport <TCP/UDP> port <PortNumber>

hope this helps

-hope this helps-
0 Helpful

Go to solution
shahinmadambi585
Level 1
Level 1
In response to ammahend

‎05-10-2022 02:32 AM

 

We know the configuration for syslog forwarding. What we want to know is whether we need a command to block TCP sessions if the syslog server at the destination is down and resume if the syslog server located at the destination is up online.

 

This will prevent the TCP sessions from being stuck at the source side (WLC) and eventually causing the WLC to hang.

Is there such a command for the WLC?

 

You may refer to this link:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/monitor_syslog.html

reffer.JPG

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to shahinmadambi585

‎05-10-2022 03:20 AM

 

         >....if the syslog server at the destination is down and resume if the syslog server located at the destination is up online.

 Well that's the benefit of using standard UDP based syslog (only) which is stateless and your device or neither  the receiver will be bothered if the destination is offline.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni

‎05-10-2022 06:50 AM - edited ‎05-10-2022 06:51 AM

You can use the below

ip tcp synwait-time <seconds>

 

This defines the period of time the Cisco IOS software waits while attempting to establish a TCP connection before it times out

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

Go to solution
shahinmadambi585
Level 1
Level 1
In response to Arshad Safrulla

‎05-12-2022 02:53 AM

Thank you for your suggestion.

However, we do not want to use UDP because it is not reliable as TCP.

 

Our problem:

If we use TCP without the logging permit-hostdown command, in the event if the destination server is down, all TCP sessions will be stuck inside the source device and will cause the source device (ASA Firewall) to hang.

 

We want to avoid such kind of situation and that is why we want to use the logging permit-hostdown CLI.

 

However, we are not sure if this command is compatible with our WLC?

My question is very simple. Could you confirm if the logging permit-hostdown can be used in the WLC please?

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to shahinmadambi585

‎05-12-2022 04:33 AM

 

                  >....However, we do not want to use UDP because it is not reliable as TCP.

  - On pure Inranet environments , like for instance no WAN and or VPN connections between source and destination , then UDP is as much reliable as TCP.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Rich R
VIP
VIP
In response to shahinmadambi585

‎05-17-2022 08:08 AM

NO! 

 

That is a firewall security logging requirement feature - nothing to do with devices hanging.

The WLC is NOT a firewall.

If you want your connections logged with that feature they will have to be routed through an ASA firewall to do that logging.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card