Solved

Lots of syslog entries %PIX-4-106023 since PIX upgrade to 6.3(3)

Posted on 2004-03-24
6
563 Views
Last Modified: 2012-06-27
Since I have upgraded our PIX to IOS 6.3(3) the log file is full of entries :
PIX-4-106023: Deny tcp src outside:"Can be any host"/80 dst inside:"proxies PAT address"/34715 by access-group "outside-in"
This was not the case before the upgrade running 6.2(2).
It tells me that traffic is blocked coming from a host port 80 to our proxy server  any port > 1024. This must be traffic related to a connection originaly setup by the proxy. When I look at the translation table I can still see a translation for that specific port and the proxy and the Global address. When I look at the connections I can't see a connection for host/80 <==> proxy/ >1024.(BTW - This is the most likely reason for the entrie in the log)

It looks like the proxy server closed the connection and the pix deleted the entry from the table but the server at the other end still thinks that there is a connection and tries to send traffic back .

Everything works fine as far as the proxy concerns !  

Nothing is changed in the config since the upgrade.

The config is pretty basic, simple nat / pat

global (outside) 100 ProxiesPATaddr netmask 255.255.255.240
nat (inside) 100 proxy 255.255.255.255

What's different between 6.2 and 6.3 ?

Richard
0
Comment
Question by:RichardBol
  • 2
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10676271
Often times when you open a web page, then quickly move to another site or close out that page, the original server is still sending stuff back to you, but you've moved on to another page and the original request is closed, so the data gets rejected. Perhaps it was a graphic that wasn't loaded before moving on to a new page. 6.3 is quicker at closing the xlate - that's a good thing.
You can always supress that message number if it is filling up the logs.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12353990
My answer is correct. No response from asker makes it no less so.
0
 

Author Comment

by:RichardBol
ID: 12549432
LRMoore's theorie might be correct but suppressing the DENY messages will also suppress the DENY messages caused by unauthorized access so I don't reckon this as a good solution.
In the mean time I had a response from Cisco:
"The changes you note are a result of the new feature known as policy NAT. One of the things we had to do with respect to this feature was change the way the PIX processes incoming packets. We now log inbound packets that have no connections associated with them as being denied by the ACL. Prior to this, they would be denied because of no xlate which the PIX silently dropped (no logs). The 106023 messages can be ignored in most cases if you see a corresponding 302014 message preceeding it.  The corresponding 302014 is level 6  ( Informational ) message and
practically no customer would set syslog message to level 6 or 7 unless in "troubleshooting problem" situation because there would be too many messages logged."
Prior to 6.3.3,  syslog 106015 was used to indicate  the arrival of TCP packets for connections that had been torn down by the PIX. With the Policy NAT feature introduced in 6.3.3, syslog 106023 is now logged to represent this same event.

I have received a patch from Cisco which reverts PIX behavior back to use 106015 instead of 106023.

I'm not allowed the distribute the patch. Cisco Bug ID CSCee27834
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12577493
PAQed with points refunded (250)

modulo
Community Support Moderator
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Guest Wireless in a Business Environment 6 88
Router Question 12 54
2960 not recognizing subinterface configuraton of 5510 11 29
can't ssh to external IP 9 16
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question