migrated to new Mgmt server but no logging?

[tdvit]

we have a new server for our Smart Center so I have moved everything across. Everything is working except logging. I get this error in the tracker. anyone got any ideas?

Number: 93
Date: 14Aug2006
Time: 10:05:42
Product: VPN-1 & FireWall-1
Interface: q57w2k2
Origin: devfwmng01 (10.5.161.16)
Type: Log
Action: Drop
Protocol: tcp
Service: FW1_log (257)
Source: EURCLNKFW02 (10.5.161.75)
Destination: devfwmng01 (10.5.161.16)
Source Port: 1718
Information: TCP packet out of state: First packet isn't SYN
tcp_flags: ACK

[northlandboy]

EURCLNKFW02 is trying to send logs to devfwmng01 - is that where you want it to send logs to? They are being dropped for being out of state - that's usually an old session that was hanging around, or you've restarted devfwmng01 - but EURCLNKFW02 doesn't know that, and is still trying to use the old sessions.

Usually CP sorts itself out, and starts a new session. If it doesn't, you'll need to restart CP on the module.

Is devfwmng01 management and enforcement?

What was the process you were going through for migrating mgmt server?

One thing to watch out for, depending on how you did the migration, is that you may need to reinstall policy on the module, or at least the database on the management. Check the Logs tab on the module, make sure it is configured to send logs to the right place.

[tdvit]

The firewalls and mgmt server are seperate. devfwmng01 is the mgmt server and thats where I need to send the logs to. I manage a few firewalls from this mgmt server and I have that message I posted from all firewalls.

I migrated from NG AI R55 on windows 2000 to a brand new server with win 2003 NG AI R55 so no CP application update, exact same just new hardware and OS. I installed R55 on the new server and then I imported the configuration from the old server. I kept the same IP and machine name on the new server and everything is working fine apart from the logging. SIC is established to all my modules and I have pushed the policy to all of them with no problems. I also did a cprestart on the eurclnkfw02 as you suggested aswell as installing the database to the mgmt server but still these messages keep appearing and no good stuff!!! any other ideas?

[northlandboy]

I might be missing something here, but I don't quite understand why you have a log entry on the mgmt server that says its origin is devfwmng01 - the origin should be the firewall module that has logged the entry (either a drop or an accept).

The mgmt server itself shouldn't be logging stuff like that. I think the only ones you see with an origin of the management are the log rotation messages.

From a module, can you telnet to the management server on port 257?

[tdvit]

Quote:

Originally Posted by northlandboy

I might be missing something here, but I don't quite understand why you have a log entry on the mgmt server that says its origin is devfwmng01 - the origin should be the firewall module that has logged the entry (either a drop or an accept).

true. Im gonna scrap this and start the box from scratch and put CP on again