Lots of syslog entries %PIX-4-106023 since PIX upgrade to 6.3(3)
Since I have upgraded our PIX to IOS 6.3(3) the log file is full of entries :
PIX-4-106023: Deny tcp src outside:"Can be any host"/80 dst inside:"proxies PAT address"/34715 by access-group "outside-in"
This was not the case before the upgrade running 6.2(2).
It tells me that traffic is blocked coming from a host port 80 to our proxy server any port > 1024. This must be traffic related to a connection originaly setup by the proxy. When I look at the translation table I can still see a translation for that specific port and the proxy and the Global address. When I look at the connections I can't see a connection for host/80 <==> proxy/ >1024.(BTW - This is the most likely reason for the entrie in the log)
It looks like the proxy server closed the connection and the pix deleted the entry from the table but the server at the other end still thinks that there is a connection and tries to send traffic back .
Everything works fine as far as the proxy concerns !
Nothing is changed in the config since the upgrade.
The config is pretty basic, simple nat / pat
global (outside) 100 ProxiesPATaddr netmask 255.255.255.240
nat (inside) 100 proxy 255.255.255.255
What's different between 6.2 and 6.3 ?
Richard
PIX-4-106023: Deny tcp src outside:"Can be any host"/80 dst inside:"proxies PAT address"/34715 by access-group "outside-in"
This was not the case before the upgrade running 6.2(2).
It tells me that traffic is blocked coming from a host port 80 to our proxy server any port > 1024. This must be traffic related to a connection originaly setup by the proxy. When I look at the translation table I can still see a translation for that specific port and the proxy and the Global address. When I look at the connections I can't see a connection for host/80 <==> proxy/ >1024.(BTW - This is the most likely reason for the entrie in the log)
It looks like the proxy server closed the connection and the pix deleted the entry from the table but the server at the other end still thinks that there is a connection and tries to send traffic back .
Everything works fine as far as the proxy concerns !
Nothing is changed in the config since the upgrade.
The config is pretty basic, simple nat / pat
global (outside) 100 ProxiesPATaddr netmask 255.255.255.240
nat (inside) 100 proxy 255.255.255.255
What's different between 6.2 and 6.3 ?
Richard
My answer is correct. No response from asker makes it no less so.
ASKER
LRMoore's theorie might be correct but suppressing the DENY messages will also suppress the DENY messages caused by unauthorized access so I don't reckon this as a good solution.
In the mean time I had a response from Cisco:
"The changes you note are a result of the new feature known as policy NAT. One of the things we had to do with respect to this feature was change the way the PIX processes incoming packets. We now log inbound packets that have no connections associated with them as being denied by the ACL. Prior to this, they would be denied because of no xlate which the PIX silently dropped (no logs). The 106023 messages can be ignored in most cases if you see a corresponding 302014 message preceeding it. The corresponding 302014 is level 6 ( Informational ) message and
practically no customer would set syslog message to level 6 or 7 unless in "troubleshooting problem" situation because there would be too many messages logged."
Prior to 6.3.3, syslog 106015 was used to indicate the arrival of TCP packets for connections that had been torn down by the PIX. With the Policy NAT feature introduced in 6.3.3, syslog 106023 is now logged to represent this same event.
I have received a patch from Cisco which reverts PIX behavior back to use 106015 instead of 106023.
I'm not allowed the distribute the patch. Cisco Bug ID CSCee27834
In the mean time I had a response from Cisco:
"The changes you note are a result of the new feature known as policy NAT. One of the things we had to do with respect to this feature was change the way the PIX processes incoming packets. We now log inbound packets that have no connections associated with them as being denied by the ACL. Prior to this, they would be denied because of no xlate which the PIX silently dropped (no logs). The 106023 messages can be ignored in most cases if you see a corresponding 302014 message preceeding it. The corresponding 302014 is level 6 ( Informational ) message and
practically no customer would set syslog message to level 6 or 7 unless in "troubleshooting problem" situation because there would be too many messages logged."
Prior to 6.3.3, syslog 106015 was used to indicate the arrival of TCP packets for connections that had been torn down by the PIX. With the Policy NAT feature introduced in 6.3.3, syslog 106023 is now logged to represent this same event.
I have received a patch from Cisco which reverts PIX behavior back to use 106015 instead of 106023.
I'm not allowed the distribute the patch. Cisco Bug ID CSCee27834
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can always supress that message number if it is filling up the logs.