Modules' fw.log not sent to SmartCenter

[nickoh]

Helllo,

A colleague has two firewall modules running R62 build 120 on IPSO 4.2, managed by a SmartCenter (SC) (same platform/build).

The management team used to get the consolidated fw.log from the SC, which included the information from the modules.

Since a few months ago it seems that the fw.log from the modules is not reaching the SC anymore.

There is plenty of disk space left on the /var of the SC, and some logs are making it through the SC :

Code:

mgmt[admin]# pwd
/var/opt/CPsuite-R62/fw1/log
fw01.cp.com__2008-07-01_235900.log
fw01.cp.com__2008-07-01_235900.logaccount_ptr
fw01.cp.com__2008-07-01_235900.loginitial_ptr
fw01.cp.com__2008-07-01_235900.logptr
 
fw02.cp.com__2008-07-01_235900.log
fw02.cp.com__2008-07-01_235900.logaccount_ptr
fw02.cp.com__2008-07-01_235900.loginitial_ptr
fw02.cp.com__2008-07-01_235900.logptr

I see in the logs of both modules every day around midnight :

Code:

[FWD 15873 217344]@fw01.cp.com[12 May 23:59:04] Active log file: [fw.log], (wont be forwarded)

Could not find anything similar on the Web. Any idea ?

Of course there are two "parasite" problems, the setup is not totally clean, to say the least :

1/ Too many hosts :
The modules are running on 50 hosts licenses ("larger" licenses are too expensive...). The colleague argues that if this was the problem then it should have happened a long time ago....
Bottomline is that both modules are reporting all along the day :

Code:

Jul 10 00:32:50 fw01 [LOG_CRIT] kernel: FW-1: too many internal hosts (640) detected.
Jul 10 00:32:50 fw01 [LOG_CRIT] kernel: run "fw lichosts" to get a list of hosts

I'm surprised there are no more problems with these modules.
This is also the reason why I can't ask the TAC for help, they'll just kick me.

2/ Cluster going down around midnight :

Code:

Jul 10 23:59:26 fw01 [LOG_NOTICE] clusterd[320]: Cluster state is set to DOWN 
Jul 10 23:59:26 fw01 [LOG_NOTICE] clusterd[320]: blocking devices are in problem state 
Jul 10 23:59:26 fw01 [LOG_NOTICE] clusterd[320]: Member(192.168.2.1) member id(1) left cluster(1): 
Jul 10 23:59:26 fw01 [LOG_NOTICE] clusterd[320]: Member 1 leaving  cluster 1 
Jul 10 23:59:26 fw01 [LOG_NOTICE] clusterd[320]: Member(192.168.2.2) member id(2) left cluster(1): 
Jul 10 23:59:26 fw01 [LOG_NOTICE] xntpd[1331]: restarting

I'm not onsite and asked that someone investigates whether the cluster is a victim of some network problem or causes this problem on its own, have no reply yet.

Thanks in advance for any hint...

[MarioL]

Usually the modules will log locally when they can't reach the management module.

Can you still manage the modules and push policies, etc? What about the SmartView Monitor, does that work too?

Can there be some NAT or some crazy routing issue that might be causing problems? Or maybe a bad firewall rule somewhere?

[nickoh]

Hi Mario,

I don't think there is such a problem here as some log files are transferred to the SC (.logaccount_ptr, .loginitial_ptr,...).

I would have thought that that message "Active log file: [fw.log], (wont be forwarded)" would have been easy to find somewhere else with Google but no...
It really seems that the module itself simply does not "feel like" transferring that particular file, and I don't know the role of the other .log* that are transferred.

To be honest I've never bothered to know how the modules' log files were "consolidated" into the SC fw.log, I just know that the admin guys just transfer that file from the SC to have all the info they need about the SC and the modules. I'm a bit in the dark.

[MarioL]

Well there should be just one log with all the firewalls in it. On normal operation the firewalls are connected to the SmartCenter and just pass on the logs in real time.

If I remember correctly that would be 4 files, all of which would be rotated at 0:00, fw.log being the main one.