awakenings
asked on
Strange Syslog Behavior
I have asked 3 CCIE level networking people and none have given me a good explination for the behavior. The syslog is below. The situation is that all of a sudden an IP address seems to pop out of another interface with no good explinations. The ASA's are the same on all the VLANS. There are no redundancies on the ARP tables for that IP address. For some reason there is just a denied ICMP addresses out of the karen interface. If someone can create a solid explination for me that makes sense and you know is true, the points are yours. If I can raise the points, I would do so as I know it is a tough question.
12/23/2005 10:13 Syslog.Warning 192.168.50.1 Dec 23 2005 10:13:24: %FWSM-4-106023: Deny icmp src bob:192.168.30.25 dst chomp:192.168.90.140 (type 3, code 3) by access-group "bob_access_in"
12/23/2005 10:13 Syslog.Info 192.168.50.1 Dec 23 2005 10:13:24: %FWSM-6-302013: Built outbound TCP connection 219053611 for faddr 192.168.30.25/3994 gaddr 192.168.90.140/51559 laddr 192.168.90.140/51559
12/23/2005 10:13 Syslog.Info 192.168.50.1 Dec 23 2005 10:13:24: %FWSM-6-302014: Teardown TCP connection 219053611 faddr 192.168.30.25/3994 gaddr 192.168.90.140/51559 laddr 192.168.90.140/51559 duration 0:00:00 bytes 76 (TCP Reset-O)
12/23/2005 10:13 Syslog.Warning 192.168.50.1 Dec 23 2005 10:13:24: %FWSM-4-313004: Denied ICMP type=3, from laddr 192.168.30.25 on interface karen to 192.168.90.140: no matching session
12/23/2005 10:13 Syslog.Warning 192.168.50.1 Dec 23 2005 10:13:24: %FWSM-4-106023: Deny icmp src bob:192.168.30.25 dst chomp:192.168.90.140 (type 3, code 3) by access-group "bob_access_in"
12/23/2005 10:13 Syslog.Warning 192.168.50.1 Dec 23 2005 10:13:24: %FWSM-4-106023: Deny icmp src bob:192.168.30.25 dst chomp:192.168.90.140 (type 3, code 3) by access-group "bob_access_in"
12/23/2005 10:13 Syslog.Info 192.168.50.1 Dec 23 2005 10:13:24: %FWSM-6-302013: Built outbound TCP connection 219053613 for faddr 192.168.30.25/44333 gaddr 192.168.90.140/55855 laddr 192.168.90.140/55855
12/23/2005 10:13 Syslog.Warning 192.168.50.1 Dec 23 2005 10:13:24: %FWSM-4-106023: Deny icmp src bob:192.168.30.25 dst chomp:192.168.90.140 (type 3, code 3) by access-group "bob_access_in"
12/23/2005 10:13 Syslog.Info 192.168.50.1 Dec 23 2005 10:13:24: %FWSM-6-302013: Built outbound TCP connection 219053611 for faddr 192.168.30.25/3994 gaddr 192.168.90.140/51559 laddr 192.168.90.140/51559
12/23/2005 10:13 Syslog.Info 192.168.50.1 Dec 23 2005 10:13:24: %FWSM-6-302014: Teardown TCP connection 219053611 faddr 192.168.30.25/3994 gaddr 192.168.90.140/51559 laddr 192.168.90.140/51559 duration 0:00:00 bytes 76 (TCP Reset-O)
12/23/2005 10:13 Syslog.Warning 192.168.50.1 Dec 23 2005 10:13:24: %FWSM-4-313004: Denied ICMP type=3, from laddr 192.168.30.25 on interface karen to 192.168.90.140: no matching session
12/23/2005 10:13 Syslog.Warning 192.168.50.1 Dec 23 2005 10:13:24: %FWSM-4-106023: Deny icmp src bob:192.168.30.25 dst chomp:192.168.90.140 (type 3, code 3) by access-group "bob_access_in"
12/23/2005 10:13 Syslog.Warning 192.168.50.1 Dec 23 2005 10:13:24: %FWSM-4-106023: Deny icmp src bob:192.168.30.25 dst chomp:192.168.90.140 (type 3, code 3) by access-group "bob_access_in"
12/23/2005 10:13 Syslog.Info 192.168.50.1 Dec 23 2005 10:13:24: %FWSM-6-302013: Built outbound TCP connection 219053613 for faddr 192.168.30.25/44333 gaddr 192.168.90.140/55855 laddr 192.168.90.140/55855
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I have a Cisco firewall that is logging the following SYSLOG (about 15 per second):
Denied ICMP type=3, from laddr 10.1.72.30 on interface Inside539 to 67.128.185.202: no matching session
The destination IP of 67.128.185.202 varies, but the source is always the same. I have found that the customer has SolarWinds installed on this host. Why would the firewall be blocking OUTBOUND packets when I have an outbound ACL (applied to Inside539 interface)?
access-list Inside539_access_in extended permit ip 10.1.27.0 255.255.255.0 any
Denied ICMP type=3, from laddr 10.1.72.30 on interface Inside539 to 67.128.185.202: no matching session
The destination IP of 67.128.185.202 varies, but the source is always the same. I have found that the customer has SolarWinds installed on this host. Why would the firewall be blocking OUTBOUND packets when I have an outbound ACL (applied to Inside539 interface)?
access-list Inside539_access_in extended permit ip 10.1.27.0 255.255.255.0 any
Venyu, you have to post a new question.
Perhaps this experience might lead you closer to resolving your problem.
Good luck!