Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Packets are Dropped When the Log Buffer Fills Up

0

0

Article ID: KB6432 KB Last Updated: 12 Jun 2019Version: 6.0
Summary:

This article:

  • describes an event log message, which states that packets were dropped because the log buffer was full

  • explains why the packets were dropped and why traffic was stopped

  • shows how to get the security device to start receiving and processing traffic again

  • lists the commands to acknowledge alarms, clear events, and disable and check the status of the set log audit-loss-mitigation command

Symptoms:

The problem is revealed in the sample Event Log output below:

 
2009-02-16 11:53:41
notif Log buffer was full and remaining messages were sent to external destination. 1115 packets were dropped.

get log sys
## 2014-03-10 22:56:13 : The dlog chunk in use (56) is larger than the high threshold (55), stop forwarding new traffic

get sys-cfg | in dlog
dlog buf max chunk number: 256
dlog queue max chunk number: 56
dlog session log pool number: 256

 

Cause:

When the log buffer in a security device reaches its capacity, the device sends all log entries to an external host for storage. During the transmission process, the security device stops receiving traffic and, as reported on some security devices, drops the specified number of packets.

Note: After the security device transmits all log entries, it starts receiving and processing traffic again.

The default behavior in ScreenOS is for logs to be overwritten when the log buffer reaches its capacity. The logs are handled on a first-in, first-out basis.

If the set log audit-loss-mitigation command is enabled, precedence is given to the logs that are stored on the firewall, as opposed to traffic passing through the firewall.

Enabling the set log audit-loss-mitigation command stops the generation of auditable events when the number of such events exceeds the capacity of the security device. Enabling this feature reduces the loss of event logs due to log overloads. However, when the log buffer in the security device reaches its capacity, the device sends all log entries to an external host (that is, syslog) for storage. During the transmission process, the security device stops receiving traffic and drops the specified number of packets. After the device has finished transmitting all the log entries, it starts receiving and processing traffic again.

On some security devices, the syslog server must be connected to the management interface on the Management Module. This ensures that the syslog server is available if the buffer fills up and network traffic stops.

 

Solution:
When the set log audit-loss-mitigation command is enabled, the device stops receiving traffic if the log buffer is full. In this case, either the alarms must be acknowledged or the clear event command must be issued in order to resume traffic.

To acknowledge an alarm, use the following syntax:

exec alarm security ack-id number  (ack-id can be found in the alarm event.)

[or]

exec alarm security all

To clear an event, use the following syntax:

clear event

To disable the set log audit-loss-mitigation command, issue the following command:

unset log audit-loss-mitigation

To confirm the status of the set log audit-loss-mitigation command, issue the following command:

get log audit-loss-mitigation

 

Modification History:

2018-10-05: Syntax added for acknowledging or clearing alarms in the Solution section.

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search