Cisco 3660 router logging slow

[ksas025]

I have a 3660 router with an access-list limiting traffic from one of its interfaces. That access-list has a rule at the end to log any packets that do not successfully evaluate true in the list.

The router logs entries of denied packets very slow. For example, the access-list denies telnet from the restricted LAN to the world. When I attempt to telnet to an asset located in the world, the router takes about a minute to log the denied packet. Whats more is that the router's timestamp is a minute late also.

Has anyone else experienced the phenomenon? Any troubleshooting ideas would be appreciated.

Alex

 

[Ru55ell]

That is weird, Maybe it’s waiting on your attempt to time-out or quit before it logs it. Try it again and kill your telnet application as soon as you start/open and see if the router logs it sooner. Also what are you service time stamps lines? May have nothing to do with it…

 

[ksas025]

I agree that it is rather weird.

I tried killing my client application, ftp and telnet, with no change in performance.

I do notice, however, that my router log entries append the number of packets that were denied:

Sep 27 14:09:02 router1 3404373: Sep 27 14:09:01.106 CST: %SEC-6-IPACCESSLOGP: list 102 denied tcp x.x.x.x(3285) -> x.x.x.x(17824), 2 packets
Sep 27 14:09:04 router1 3404374: Sep 27 14:09:03.702 CST: %SEC-6-IPACCESSLOGP: list 105 denied udp x.x.x.x(161) -> x.x.x.x(1032), 3 packets
Sep 27 14:09:34 router1 3404375: Sep 27 14:09:33.835 CST: %SEC-6-IPACCESSLOGP: list 105 denied udp x.x.x.201(161) -> x.x.x.x(1190), 1 packet

I wounder if the router is buffering the denied log entires then generating them after some time? Is there a way to turn off this "consolidation" of log entires?

 

[Ru55ell]

I would assume your assumption is correct. It’s smarter than we give it credit for or using more logic than we. I don’t believe there is a way to turn it off. Is it a problem that it’s consolidating the messages? Maybe you should debug rather than log if your trying to isolate something.

 

[Ru55ell]

I recently used the “log” option while troubleshooting. It too was very late. I was debugging real-time so I had Terminal Monitor on, It wasn’t an issue for me as I had Debug running and was filtering what exactly what I was looking for. I can see where the “log” if use solely would delay troubleshooting. I’m convinced its buffering the results and reporting when the session is torn down

 

[ksas025]

Yes, I think I agree with you.

You say you were using debug mode. Can you give me an example of what you mean? I dont think I have ever used that for ACL troublshooting before.

By the way, thanks for the extra info.

Alex

 

[Ru55ell]

I wasn’t troubleshooting access-list but using access-list to help in my troubleshooting. I was using an access list to filter my debug. I wanted to see IP traffic from the Ethernet through the router and out my wan port. Debug-ing IP traffic can be very dangerous as it may flood the processor and be detrimental to the functionally of the router. This would result in the router having to be power cycled to restore functionality killing your debug.

In my case I performed similar commands listed below,

(config)#access-list 32 remark Debug filter (Ru55ell)
(config)#access-list 32 deny 10.10.10.205
(config)#access-list 32 permit 172.16.2.0 0.0.0.255 log
(config)#access-list 32 permit 207.68.173.0 0.0.0.255
(config)#access-list 32 permit 216.239.51.0 0.0.0.255

#debug list 32
#debug ip packet
IP packet debugging is on
for access list: 32

#un all
All possible debugging has been turned off

#debug list 32
#debug ip nat detailed
IP NAT detailed debugging is on
for access list: 32

There is another to apply the access-list to the debug command.

#debug ip packet detail 32
IP packet debugging is on (detailed) for access list 32