I had a quick flick through Cisco's Bugtool[1], and found this: (CSCdx10113) "If the syslog service is disabled on the server, such that the syslogs coming from the PIX generate an ICMP Port Unreachable message, and the PIX configuration includes the command "ip audit interface", the PIX will attempt to log the error messages coming back from the syslog server. This results in an ever increasing storm of sorts, and results in resource starvation on the PIX.
Workarounds include: disabling "ip audit interface" or disabling the logging of the reciept of ICMP port unreach messages. " On the surface, looks like a possibility, although you should probably do some more investigation. I'd whack a sniffer on the network where the syslog server is and see what sort of traffic is occurring. Cheers, [1]http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl -- Ben Nagy Network Security Specialist ( ... Unemployed in Geneva ... ) Mb: TBA PGP Key ID: 0x1A86E304 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > [EMAIL PROTECTED] > Sent: Tuesday, May 14, 2002 8:05 PM > To: [EMAIL PROTECTED] > Subject: PIX high-cpu when logging stops > > > Hi, > Here's one to conjour with ! > > We have a PIX 525.........we log directlly to a KIWI syslog > collector using UDP port 514 (honest, definitely not TCP !!) > Today we experienced 98% CPU on the PIX, and found (by trial > and error while searching for info in the logs) that the KIWI > syslog daemon was down. Immediately we stared it up the CPU > dropped to almost nothing ! > > Not believing this, we stopped & started the syslog collector > a few times, and sure enough it was the cause of the high CPU ?? > > > My first question is (obviously) has anyone else heard or > seen this before ? > > My second question is, how the heck does the PIX know that > the syslog daemon is gone when its using UDP !!!!! > > Is this a case for Mulder & Scully ?? > Cheers, Gordon > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > For Account Management (unsubscribe, get/change password, > etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
