Solved

Lots of syslog entries %PIX-4-106023 since PIX upgrade to 6.3(3)

Posted on 2004-03-24
6
562 Views
Last Modified: 2012-06-27
Since I have upgraded our PIX to IOS 6.3(3) the log file is full of entries :
PIX-4-106023: Deny tcp src outside:"Can be any host"/80 dst inside:"proxies PAT address"/34715 by access-group "outside-in"
This was not the case before the upgrade running 6.2(2).
It tells me that traffic is blocked coming from a host port 80 to our proxy server  any port > 1024. This must be traffic related to a connection originaly setup by the proxy. When I look at the translation table I can still see a translation for that specific port and the proxy and the Global address. When I look at the connections I can't see a connection for host/80 <==> proxy/ >1024.(BTW - This is the most likely reason for the entrie in the log)

It looks like the proxy server closed the connection and the pix deleted the entry from the table but the server at the other end still thinks that there is a connection and tries to send traffic back .

Everything works fine as far as the proxy concerns !  

Nothing is changed in the config since the upgrade.

The config is pretty basic, simple nat / pat

global (outside) 100 ProxiesPATaddr netmask 255.255.255.240
nat (inside) 100 proxy 255.255.255.255

What's different between 6.2 and 6.3 ?

Richard
0
Comment
Question by:RichardBol
  • 2
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10676271
Often times when you open a web page, then quickly move to another site or close out that page, the original server is still sending stuff back to you, but you've moved on to another page and the original request is closed, so the data gets rejected. Perhaps it was a graphic that wasn't loaded before moving on to a new page. 6.3 is quicker at closing the xlate - that's a good thing.
You can always supress that message number if it is filling up the logs.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12353990
My answer is correct. No response from asker makes it no less so.
0
 

Author Comment

by:RichardBol
ID: 12549432
LRMoore's theorie might be correct but suppressing the DENY messages will also suppress the DENY messages caused by unauthorized access so I don't reckon this as a good solution.
In the mean time I had a response from Cisco:
"The changes you note are a result of the new feature known as policy NAT. One of the things we had to do with respect to this feature was change the way the PIX processes incoming packets. We now log inbound packets that have no connections associated with them as being denied by the ACL. Prior to this, they would be denied because of no xlate which the PIX silently dropped (no logs). The 106023 messages can be ignored in most cases if you see a corresponding 302014 message preceeding it.  The corresponding 302014 is level 6  ( Informational ) message and
practically no customer would set syslog message to level 6 or 7 unless in "troubleshooting problem" situation because there would be too many messages logged."
Prior to 6.3.3,  syslog 106015 was used to indicate  the arrival of TCP packets for connections that had been torn down by the PIX. With the Policy NAT feature introduced in 6.3.3, syslog 106023 is now logged to represent this same event.

I have received a patch from Cisco which reverts PIX behavior back to use 106015 instead of 106023.

I'm not allowed the distribute the patch. Cisco Bug ID CSCee27834
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12577493
PAQed with points refunded (250)

modulo
Community Support Moderator
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question