ION Syslog forwarding using the controller as the source interface failing post-upgrade to versions 6.5.1 and 6.5.2
482
Created On 05/23/25 14:49 PM - Last Modified 07/08/25 20:55 PM
Symptom
- The device is unable to send syslog messages to servers after the upgrade to software versions 6.5.1 and 6.5.2.
- The command output of dump syslog-rtr stats shows the syslog connection failed
# dump syslog-rtr stats
Syslog service is running
Server Name : test-syslog
Enabled : true
Flow logging Enabled : true
Connected : false
IP : 10.3.9.20
Vni : 0
Server FQDN : NA
Port : 514
Protocol : 17
Cipher Info : NA
Src Interface : e202
Src Interface IP : 192.168.1.100
Alarm Enabled : true
Alarm Reason : connection_failure
Connect Fail Count : 18
Connect Success Count : 0
Send Fail Count : 0
Send Skip Count : 0
Send Skip Severity Count: 1151
Send Retry Count : 0
Send Success Count : 0
Server Disconnect Count : 0
Total Queued Messages : 0
Sockfd : -1
- The syslog_rtr logs shows an error when trying to set the controller as the source interface on the ION
{"_ts":"2025-05-15T16:18:43.570Z","_level":"err","_pid":16086,"_msgid":"Controller interface used for controller","_prog":"slog_rtr","_fac":"syslog_rtr","_thread":"7f33a06f3700"}
{"_ts":"2025-05-15T16:18:43.570Z","_level":"err","_pid":16086,"_msgid":"setsockopt() failed, device Global, errno = No such device","_prog":"slog_rtr","_fac":"syslog_rtr","_thread":"7f33a06f3700"}
Environment
- Prisma SD-WAN ION software versions: 6.5.1 and 6.5.2
- Syslog forwarding enabled
- Controller interface used as the source interface
Cause
- The syslog connection via the controller interface tries to use the VRF name instead of the interface name.
Resolution
- As a workaround, use a LAN interface instead of the controller as the source interface for syslog forwarding on the ION.
- The issue is targeted to be fixed via a hot-fix release in version 6.5.2-b3 and 6.5.3 under CGSDW-27265.
Additional Information
N/A