Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > "access-list logging rate-limited or missed <X> packets"

Reply
Thread Tools

"access-list logging rate-limited or missed <X> packets"

 
 
John Caruso
Guest
Posts: n/a
 
      10-15-2003
We're frequently seeing this message from two separate Internet-facing
Cisco routers which send their syslog output to a central logging server.
Both routers are running 12.3(1a). The routers both have plenty of CPU
and RAM available, have no "logging rate-limit" specified, and are
generating these messages even when the logging buffer is nearly empty.

The volume of these messages is running well above the volume of actual,
useful messages from these routers...as an example, out of 104388 syslog
messages one of the routers generated last week, 59794 of them were these
"%SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed <X>
packets" messages.

At Cisco's request we've tried upping the logging buffer size and setting
"logging rate-limit 10000" (even though the default is supposedly that
there's no limit); neither action helped.

Can anyone say what might be going on here? How do we get our routers to
stop dropping useful log information on the ground? I can't think of any
valid reason for a router with this much free CPU and RAM to refuse to
log so many messages.

- John
 
Reply With Quote
 
 
 
 
Aaron Woody
Guest
Posts: n/a
 
      10-21-2003
John,

It sounds like to me you are logging in two places. 1 - Syslog
server, 2 - buffer. Is it your intention to log in both locations? If
not, stop the logging to the buffer and just log to syslog server.

Aaron

John Caruso <(E-Mail Removed)> wrote in message news:<(E-Mail Removed) obal.net>...
> We're frequently seeing this message from two separate Internet-facing
> Cisco routers which send their syslog output to a central logging server.
> Both routers are running 12.3(1a). The routers both have plenty of CPU
> and RAM available, have no "logging rate-limit" specified, and are
> generating these messages even when the logging buffer is nearly empty.
>
> The volume of these messages is running well above the volume of actual,
> useful messages from these routers...as an example, out of 104388 syslog
> messages one of the routers generated last week, 59794 of them were these
> "%SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed <X>
> packets" messages.
>
> At Cisco's request we've tried upping the logging buffer size and setting
> "logging rate-limit 10000" (even though the default is supposedly that
> there's no limit); neither action helped.
>
> Can anyone say what might be going on here? How do we get our routers to
> stop dropping useful log information on the ground? I can't think of any
> valid reason for a router with this much free CPU and RAM to refuse to
> log so many messages.
>
> - John

 
Reply With Quote
 
 
 
 
John Caruso
Guest
Posts: n/a
 
      10-27-2003
Thanks for the response (I'm surprised that I didn't hear more responses,
since I'm sure we're not the only site that's run into this issue).

In article <(E-Mail Removed) >, Aaron Woody wrote:
> It sounds like to me you are logging in two places. 1 - Syslog
> server, 2 - buffer. Is it your intention to log in both locations? If
> not, stop the logging to the buffer and just log to syslog server.


I can do that (the buffer logging isn't really necessary, though it's nice
as a fallback), but it doesn't do anything about the actual problem. I'm
guessing that you were thinking the rate limit on buffer logging was causing
rate-limiting messages in syslog, but that's not the case.

The only workaround I've found so far is to use "ip access-list log-update
threshold 1", which forces a flush of the access-list logging buffers after
every single violation. However, Cisco strongly recommends against using
this, and I certainly don't want to use it since it greatly increases the
number of messages logged. In fact I'm not sure why this even does fix the
problem, since Cisco claims that routers will never log two messages within
1 second of each other (an assertion that's contradicted by our own syslog
logfiles, but still, that's what they say).

If anyone has any other suggestions they'd be appreciated.

- John
 
Reply With Quote
 
Juraj Ljubesic
Guest
Posts: n/a
 
      10-28-2003
On Mon, 27 Oct 2003 22:29:20 GMT, John Caruso
<(E-Mail Removed)> wrote:

......
>The only workaround I've found so far is to use "ip access-list log-update
>threshold 1", which forces a flush of the access-list logging buffers after
>every single violation. However, Cisco strongly recommends against using
>this, and I certainly don't want to use it since it greatly increases the
>number of messages logged. In fact I'm not sure why this even does fix the
>problem, since Cisco claims that routers will never log two messages within
>1 second of each other (an assertion that's contradicted by our own syslog
>logfiles, but still, that's what they say).


I have similar problem with 2691.
In this circumstances I really don't understand what is purpouse of
command "logging rate-limit X"
where is X "<1-10000> Messages per second".

Jura

>
>If anyone has any other suggestions they'd be appreciated.
>
>- John


 
Reply With Quote
 
John Caruso
Guest
Posts: n/a
 
      10-28-2003
In article <(E-Mail Removed)>, Juraj Ljubesic wrote:
> On Mon, 27 Oct 2003 22:29:20 GMT, John Caruso <(E-Mail Removed)> wrote:
>>The only workaround I've found so far is to use "ip access-list log-update
>>threshold 1", which forces a flush of the access-list logging buffers after
>>every single violation. However, Cisco strongly recommends against using
>>this, and I certainly don't want to use it since it greatly increases the
>>number of messages logged. In fact I'm not sure why this even does fix the
>>problem, since Cisco claims that routers will never log two messages within
>>1 second of each other (an assertion that's contradicted by our own syslog
>>logfiles, but still, that's what they say).

>
> I have similar problem with 2691.
> In this circumstances I really don't understand what is purpouse of
> command "logging rate-limit X"
> where is X "<1-10000> Messages per second".


My understanding thus far in going through this with Cisco support is that
"logging rate-lmiit X" is global to ALL logging messages, but the builtin
1 message per second rate limit is specific to access list logging (and
there's no limit by default on the number of logging messages other than
ACL logging messages). So you can set "logging rate-limit" all you want,
but it won't affect the operation of ACL logging.

That's why you have to use "ip access-list log-update threshold" instead
to affect ACL logging (there's also an undocumented "ip access-list log
interval" command that can be used to change the default 5-minute interval
for generation of duplicate log messages).

This is all rather cloudy. The Cisco support guy is still trying to get
a straight answer on all this from the developers--especially in light of
the fact that we've seen 1) multiple ACL logging messages within a second
of each other, and 2) "rate-limiting" logging messages more than a second
after a valid logging message. Neither of those should be possible if the
1-second limit is really in place, and if it's the source of our problems.

- John
 
Reply With Quote
 
Juraj Ljubesic
Guest
Posts: n/a
 
      10-29-2003

Thanks a lot!

Now I lose about 1% of logg records instead of 50-70%.

Thanks again.

Jura
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
I give up! What have I missed? (H. Scroll bar in IE) Joe HTML 25 04-21-2006 06:12 AM
Why the properties of web user controls which inherted from my custom base UI controls missed? ABC ASP .Net 0 11-21-2005 04:08 AM
User Web Controls properties missed. Bug? ABC ASP .Net 0 11-18-2005 01:29 AM
What is missed? Mr T Cisco 0 12-23-2004 08:39 PM
Drowning in 'access-list logging rate-limited or missed 1 packet' entries Joe Filla Cisco 0 12-04-2003 01:53 AM



Advertisments