On Mon, May 15, 2006 at 10:25:41AM -0400, Mark R. White wrote:
Sandor, Good suggestion but I don't think it will work since syslog is UDP traffic.
Packets are packets. Run this on your syslog server: # tcpdump -i eth0 -n -s1500 -v udp port 514 Then send logs from your PIX. Then see what appears. No packets arriving at all is one problem; packets arriving with an unexpected source address is another.
Also, it appears to be a very specific problem with our PIX firewall. This morning, our network engineer and I, set up a half dozen other devices, routers and switches, and they are all logging without any issue. So for now, I'm going to chalk this up as an issue with the PIX IOS, and consider this issue closed.
That's not an obvious conclusion at all. Here we have several PIXes, running PIXOS 7.0 and 7.1, and we have no problems with syslog at all. The obvious other problems might be: (1) The PIX is sending syslog packets, but the source IP address is not what you expected them to be. tcpdump will show you this. (2) If tcpdump shows no packets arriving at all, then perhaps the PIX is sending them but they are being lost in transit (e.g. some other firewall in between, or the PIX is missing a static route which it would need to reach the syslog server) However it could also be PIX misconfiguration. Regards, Brian.