Tech note on Syslog, TCP, and Cisco ASA/PIX
Absent of Cisco wizard skills caused me a little pain yesterday. I remotely configured my Cisco ASA to forward syslog via TCP to a central log host. When I subsequently rebooted the central log host, I lost the ability to establish new connections to anything behind the ASA.
Luckily, I had an established session to a system with a serial connection which enabled me to recover.
I hadn’t run into this before, but I confirmed my experience:
1. If it is unable to log via a defined TCP syslog session, a PIX will not create any new connections (although connections opened before the failure of the session will continue to work). The PIX will log a message to the console stating that it is disallowing new connections.
2. In order to re-establish connection activity, the privileged set logging command, with the correct parameters, will have to be entered or the PIX reloaded.
Unfortunately, this is normal behavior. When a person configures the ASA to send msgs to a syslog server using TCP; if the server is down the ASA stops forwarding packets. To avoid this you have to use the “permit-hostdown” command at the end of the logging host command. For example:
hostname(config)# logging host interfacename serverip [tcp/port] [permit-hostdown]
This is not required for UDP (default) syslog configuration.
Regards,
Omar Santos Cisco