http://blog.clearnetsec.com/articles/2007/08/23/tech-note-on-syslog-tcp-and-cisco-asa-pix en-us 40 <p>Absent of Cisco wizard skills caused me a little pain yesterday. I remotely configured my Cisco ASA to forward syslog via TCP to a central log host. When I subsequently rebooted the central log host, I lost the ability to establish new connections to anything behind the ASA. </p> <p> Luckily, I had an established session to a system with a serial connection which enabled me to recover. </p> <p> I hadn’t run into this before, but I confirmed my experience: </p> <blockquote> 1. If it is unable to log via a defined TCP syslog session, a PIX will not create any new connections (although connections opened before the failure of the session will continue to work). The PIX will log a message to the console stating that it is disallowing new connections. <br /> 2. In order to re-establish connection activity, the privileged set logging command, with the correct parameters, will have to be entered or the PIX reloaded. </blockquote> Thu, 23 Aug 2007 19:05:00 -0600 urn:uuid:3f86cb2c-62db-467b-9744-fc0f81909cee tate@ClearNetSec.com (Tate Hansen) http://blog.clearnetsec.com/articles/2007/08/23/tech-note-on-syslog-tcp-and-cisco-asa-pix ClearNet ClearNet Security Tate Hansen Cisco logging syslog tcp asa <p>Unfortunately, this is normal behavior. When a person configures the ASA to send msgs to a syslog server using TCP; if the server is down the ASA stops forwarding packets. To avoid this you have to use the &#8220;permit-hostdown&#8221; command at the end of the logging host command. For example:</p> <p>hostname(config)# logging host interface<em>name server</em>ip [tcp/port] [permit-hostdown] </p> <p>This is not required for UDP (default) syslog configuration.</p> <p>Regards,</p> <p>Omar Santos Cisco</p> Thu, 23 Aug 2007 20:58:24 -0600 urn:uuid:5ba4f807-8277-4d4a-9a2a-8d6b4a4d5ce1 http://blog.clearnetsec.com/articles/2007/08/23/tech-note-on-syslog-tcp-and-cisco-asa-pix#comment-45