Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How To Troubleshoot Connection Failures To Syslog Servers - Knowledge Base - Palo Alto Networks

How To Troubleshoot Connection Failures To Syslog Servers

84757
Created On 02/10/22 23:16 PM - Last Modified 08/23/23 22:37 PM


Objective


Troubleshoot connection failures to log-forwarding servers (syslog server).

Environment


  • Firewall
  • Log-forwarding server (syslog server)


Procedure


  1. From the firewall, check if syslog-ng is running with the CLI
    1. admin@PA> debug syslog-ng status
      syslog-ng (pid 3578 3577) is running...
  2. From the firewall, check if syslog-ng sends out data or drops data using CLI. Check if syslog-ng has connection stats to the server. It is expected to see the network socket information towards the syslog server. 
    1. > debug syslog-ng stats
  3. On the Firewall, check the Service Route to the Log Collector
Device > Setup > Services > Service Route Configuration > click Customize > Syslog
  1. If Service Route is set to "Use Management Interface for all" or "Use Default" then from the firewall CLI:
    1. Check IP connection between firewall and the syslog server.
    2. ping host <IP address of syslog server>
      If ping is successful then proceed to (b) otherwise check physical layer1 and data link layer2 on your network.
    3. Perform a traceroute check to the syslog server:
      traceroute host <IP address of the syslog server>
      Similarly perform a traceroute check from the syslog server to the management IP address of the firewall.
      
    4. Check TCP connection between firewall and the syslog server using this command if TCP port is 514 otherwise replace 514 with corresponding port number.
      show netstat numeric-host yes numeric-port yes all yes | match 514
      Connection should show established if not then.
    5. Check Permitted IP Address (Device > Setup> Interfaces > click Management > Permitted IP Addresses)
    6. Perform a tcpdump on the firewall management interface using this command if TCP port is 514 otherwise replace 514 with corresponding port number.
      tcpdump filter "port 514" snaplen 0
    7. Export the tcpdump packet capture to a scp or tftp server and analyze it to root cause the connection issue between firewall and the syslog server.
      scp export mgmt-pcap from mgmt.pcap to username@host:path
      
    8. Take packet capture on syslog server
  1. What to look for in tcpdump captures from previous steps
    1. Look for the completion of the TCP handshake. If the 3way handshake does not complete, then check if an intermediate device could be dropping this traffic.
    2. If using TLS then check if SSL handshake completed. If the SSL handshake doesn’t complete, then check that the SSL certificate on the Syslog server has not expired.
    3. If the handshake completes, compare the PCAPs on the two devices to determine which device might not be closing the connection.
  2. If service route is dataplane interface then from the firewall CLI:
    1. Check IP connection between firewall dataplane interface and the syslog server.
      ping source <IP address of the dataplane interface> host <IP address of syslog server>
      If ping is successful then proceed to b otherwise check physical layer1 and data link layer2 on your network.
      
    2. Perform a traceroute check to the syslog server:
      traceroute source <IP address of the dataplane interface> host <IP address of the syslog server>
      Similarly perform a traceroute check from the syslog server command line to the IP address of the dataplane of the firewall.
      
    3. Check TCP connection between firewall and the syslog server by performing a packet capture on the dataplane using GUI.
Check knowledge base Getting Started: Packet Capture
  1. Check the session details on the firewall CLI.
    show session all filter source <IP address of the dataplane interface> destination <IP address of the syslog server>
    session should show active if discarded then check if firewall security policy, nat and routing.
    
  1. If above checks are done then check if any firewall or device in your network is blocking this connection.
 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NC4CAM&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language