Logging ceases after policy install

[Youngy]

Hi all,

As you may know I have been having a hell of time getting logging to work consistently on an inherited CP install.

Basically the symptoms are that if you make a policy\object change and push\install the policy the logging from the firewall enforcement stops. The setup is distributed and the management server manages multiple enforcement points.

To get logging to work again I have found that I can do so by:
1. Turn off logging under the properties for the enforcement point object and apply the policy change
2. Turn logging back on under the properties and push the policy again.

Then at that stage you can see logging occurring once again under the tracker.

So far I have applied the latest HFAs to both the enforcement point and management server. The issue remains.

I feel it may be something to do with how the distribution is set up. For example the management machine (windows server) has three bindings on the one NIC. The primary binding and two others obviously.

If the enforcement point can see the primary NIC binding there is no issue, however if the enforcement point sees the management server via one of the other bindings the issue occurs. Now I am suspicious that this is part of the issue.

Has anyone else had any experience like this?

Thanks

[chillyjim]

Quote:

Originally Posted by Youngy

I feel it may be something to do with how the distribution is set up. For example the management machine (windows server) has three bindings on the one NIC. The primary binding and two others obviously.

If the enforcement point can see the primary NIC binding there is no issue, however if the enforcement point sees the management server via one of the other bindings the issue occurs. Now I am suspicious that this is part of the issue.

Have you tried to add the other interfaces of the SmartCenter to its topology and reset the SIC?

-jlh

[Youngy]

Hi Jim,

Yes the topolgy is complete for all three host objects (two of them I created with the primary IP being that of the NIC binding the FW can see).

I don't believe I have an issue with SIC so how will resetting it play a role in this case?

Cheers

[mdsenv]

When the logging stops, does the $FWDIR\log\fw.log file on the firewall grow in size?

When logging stops, have you tried running a tcp dump on the firewall?

[Claer]

I encoutered a similar problem.
The management stopped to log modules and a message indicating so appears in the smart view tracker. The solution given by the support was to convert Smartcenter to host (it was defined as a gw)
The support didn't know why this problem occurs time to time.

[Youngy]

Hi,

Yeah the smart center is already set as a host. I'll have to check out mdsenv's suggestion at somepoint this week.

Thanks Guys

[Sergej]

Knowledge base article sk30530 describes the same situation. They advise basically the same you have already done: "Remove all interfaces on the Topology page of the host object representing the SmartCenter Server, and install the Security Policy"

[Prabhu84818]

hai
I am having the similar problem. I Removed all interfaces on the Topology page of the host object representing the SmartCenter Server, and once again i installed the Security Policy. still i cant get the log file while viewing Smartview tracker. this contains log files only of type "Control". please let me know the solution for this.

Thanks & Regards
Prabhu S

[Youngy]

Hi Prabhu84818,

I think your issue might be slightly different, it sounds like you are not getting any log information on your smart center server. My case is all logging is working - but stops after you do an policy change\push. And I fix this as per my first post.

You may need to look into connectivity between your smart center server and fw on port 257 (port used for cp logging). see if the smart center server is listening on that port etc etc. Check masters file and that sort of thing.

Cheers

[Youngy]

Hello all,

Just letting you all know that this issue has been resolved. I basically resolved this case myself so the resolution will not be as precise as you will no doubt expect.

Basically I had a case open with CP since the 20/11/05 and up loaded tonnes of cpinfo outputs the results of this test and that etc and we did not appear to be making much progress.

So I built a brand new 2003 server machine. Did an upgrade/import onto this new box and tah dah. Logging does not cease when you push a policy. Somehere in there is the fix..................:)

Cheers