Guest

Preview Tool

Cisco Bug: CSCuo90781 - FWSM block new conns with "logging permit-hostdown" & TCP syslog is down

Last Modified

May 17, 2016

Products (1)

  • Cisco Catalyst 6500 Series Firewall Services Module

Known Affected Releases

4.1(11) 4.1(15)

Description (partial)

Symptom:
The FWSM might block new connections if a configured TCP-based syslog server is unreachable by the FWSM, even if the command "logging permit-hostdown" is configured.
Symptoms would seem like an Intermittent connection issue, since as soon as TCP syslog server is reachable, connectivity would be restored and would fail once server communication fails.

Conditions:
The following conditions must be met in order to encounter this problem:
1. FWSM running 4.1.11 or later in Single mode.
2. A syslog server must be configured with the TCP protocol
3. The syslog server must become unreachable by the FWSM

The 'logging permit-hostdown' configuration should permit new connections even when the TCP based syslog server is unreachable, but due to this bug, new connections might be denied even with this option configured.

When this problem is encountered, the following counter shown by the command 'show np 3 stats' will increment:

    Deny Conns (Conn State): 34013
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.