"access-list logging rate-limited or missed <X> packets"

Discussion in 'Cisco' started by John Caruso, Oct 15, 2003.

  1. John Caruso

    John Caruso Guest

    We're frequently seeing this message from two separate Internet-facing
    Cisco routers which send their syslog output to a central logging server.
    Both routers are running 12.3(1a). The routers both have plenty of CPU
    and RAM available, have no "logging rate-limit" specified, and are
    generating these messages even when the logging buffer is nearly empty.

    The volume of these messages is running well above the volume of actual,
    useful messages from these routers...as an example, out of 104388 syslog
    messages one of the routers generated last week, 59794 of them were these
    "%SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed <X>
    packets" messages.

    At Cisco's request we've tried upping the logging buffer size and setting
    "logging rate-limit 10000" (even though the default is supposedly that
    there's no limit); neither action helped.

    Can anyone say what might be going on here? How do we get our routers to
    stop dropping useful log information on the ground? I can't think of any
    valid reason for a router with this much free CPU and RAM to refuse to
    log so many messages.

    - John
     
    John Caruso, Oct 15, 2003
    #1
    1. Advertising

  2. John Caruso

    Aaron Woody Guest

    John,

    It sounds like to me you are logging in two places. 1 - Syslog
    server, 2 - buffer. Is it your intention to log in both locations? If
    not, stop the logging to the buffer and just log to syslog server.

    Aaron

    John Caruso <> wrote in message news:<>...
    > We're frequently seeing this message from two separate Internet-facing
    > Cisco routers which send their syslog output to a central logging server.
    > Both routers are running 12.3(1a). The routers both have plenty of CPU
    > and RAM available, have no "logging rate-limit" specified, and are
    > generating these messages even when the logging buffer is nearly empty.
    >
    > The volume of these messages is running well above the volume of actual,
    > useful messages from these routers...as an example, out of 104388 syslog
    > messages one of the routers generated last week, 59794 of them were these
    > "%SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed <X>
    > packets" messages.
    >
    > At Cisco's request we've tried upping the logging buffer size and setting
    > "logging rate-limit 10000" (even though the default is supposedly that
    > there's no limit); neither action helped.
    >
    > Can anyone say what might be going on here? How do we get our routers to
    > stop dropping useful log information on the ground? I can't think of any
    > valid reason for a router with this much free CPU and RAM to refuse to
    > log so many messages.
    >
    > - John
     
    Aaron Woody, Oct 21, 2003
    #2
    1. Advertising

  3. John Caruso

    John Caruso Guest

    Thanks for the response (I'm surprised that I didn't hear more responses,
    since I'm sure we're not the only site that's run into this issue).

    In article <>, Aaron Woody wrote:
    > It sounds like to me you are logging in two places. 1 - Syslog
    > server, 2 - buffer. Is it your intention to log in both locations? If
    > not, stop the logging to the buffer and just log to syslog server.


    I can do that (the buffer logging isn't really necessary, though it's nice
    as a fallback), but it doesn't do anything about the actual problem. I'm
    guessing that you were thinking the rate limit on buffer logging was causing
    rate-limiting messages in syslog, but that's not the case.

    The only workaround I've found so far is to use "ip access-list log-update
    threshold 1", which forces a flush of the access-list logging buffers after
    every single violation. However, Cisco strongly recommends against using
    this, and I certainly don't want to use it since it greatly increases the
    number of messages logged. In fact I'm not sure why this even does fix the
    problem, since Cisco claims that routers will never log two messages within
    1 second of each other (an assertion that's contradicted by our own syslog
    logfiles, but still, that's what they say).

    If anyone has any other suggestions they'd be appreciated.

    - John
     
    John Caruso, Oct 27, 2003
    #3
  4. On Mon, 27 Oct 2003 22:29:20 GMT, John Caruso
    <> wrote:

    ......
    >The only workaround I've found so far is to use "ip access-list log-update
    >threshold 1", which forces a flush of the access-list logging buffers after
    >every single violation. However, Cisco strongly recommends against using
    >this, and I certainly don't want to use it since it greatly increases the
    >number of messages logged. In fact I'm not sure why this even does fix the
    >problem, since Cisco claims that routers will never log two messages within
    >1 second of each other (an assertion that's contradicted by our own syslog
    >logfiles, but still, that's what they say).


    I have similar problem with 2691.
    In this circumstances I really don't understand what is purpouse of
    command "logging rate-limit X"
    where is X "<1-10000> Messages per second".

    Jura

    >
    >If anyone has any other suggestions they'd be appreciated.
    >
    >- John
     
    Juraj Ljubesic, Oct 28, 2003
    #4
  5. John Caruso

    John Caruso Guest

    In article <>, Juraj Ljubesic wrote:
    > On Mon, 27 Oct 2003 22:29:20 GMT, John Caruso <> wrote:
    >>The only workaround I've found so far is to use "ip access-list log-update
    >>threshold 1", which forces a flush of the access-list logging buffers after
    >>every single violation. However, Cisco strongly recommends against using
    >>this, and I certainly don't want to use it since it greatly increases the
    >>number of messages logged. In fact I'm not sure why this even does fix the
    >>problem, since Cisco claims that routers will never log two messages within
    >>1 second of each other (an assertion that's contradicted by our own syslog
    >>logfiles, but still, that's what they say).

    >
    > I have similar problem with 2691.
    > In this circumstances I really don't understand what is purpouse of
    > command "logging rate-limit X"
    > where is X "<1-10000> Messages per second".


    My understanding thus far in going through this with Cisco support is that
    "logging rate-lmiit X" is global to ALL logging messages, but the builtin
    1 message per second rate limit is specific to access list logging (and
    there's no limit by default on the number of logging messages other than
    ACL logging messages). So you can set "logging rate-limit" all you want,
    but it won't affect the operation of ACL logging.

    That's why you have to use "ip access-list log-update threshold" instead
    to affect ACL logging (there's also an undocumented "ip access-list log
    interval" command that can be used to change the default 5-minute interval
    for generation of duplicate log messages).

    This is all rather cloudy. The Cisco support guy is still trying to get
    a straight answer on all this from the developers--especially in light of
    the fact that we've seen 1) multiple ACL logging messages within a second
    of each other, and 2) "rate-limiting" logging messages more than a second
    after a valid logging message. Neither of those should be possible if the
    1-second limit is really in place, and if it's the source of our problems.

    - John
     
    John Caruso, Oct 28, 2003
    #5
  6. Thanks a lot!

    Now I lose about 1% of logg records instead of 50-70%.

    Thanks again.

    Jura
     
    Juraj Ljubesic, Oct 29, 2003
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page