Solved

Lots of syslog entries %PIX-4-106023 since PIX upgrade to 6.3(3)

Posted on 2004-03-24
6
560 Views
Last Modified: 2012-06-27
Since I have upgraded our PIX to IOS 6.3(3) the log file is full of entries :
PIX-4-106023: Deny tcp src outside:"Can be any host"/80 dst inside:"proxies PAT address"/34715 by access-group "outside-in"
This was not the case before the upgrade running 6.2(2).
It tells me that traffic is blocked coming from a host port 80 to our proxy server  any port > 1024. This must be traffic related to a connection originaly setup by the proxy. When I look at the translation table I can still see a translation for that specific port and the proxy and the Global address. When I look at the connections I can't see a connection for host/80 <==> proxy/ >1024.(BTW - This is the most likely reason for the entrie in the log)

It looks like the proxy server closed the connection and the pix deleted the entry from the table but the server at the other end still thinks that there is a connection and tries to send traffic back .

Everything works fine as far as the proxy concerns !  

Nothing is changed in the config since the upgrade.

The config is pretty basic, simple nat / pat

global (outside) 100 ProxiesPATaddr netmask 255.255.255.240
nat (inside) 100 proxy 255.255.255.255

What's different between 6.2 and 6.3 ?

Richard
0
Comment
Question by:RichardBol
  • 2
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Often times when you open a web page, then quickly move to another site or close out that page, the original server is still sending stuff back to you, but you've moved on to another page and the original request is closed, so the data gets rejected. Perhaps it was a graphic that wasn't loaded before moving on to a new page. 6.3 is quicker at closing the xlate - that's a good thing.
You can always supress that message number if it is filling up the logs.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
My answer is correct. No response from asker makes it no less so.
0
 

Author Comment

by:RichardBol
Comment Utility
LRMoore's theorie might be correct but suppressing the DENY messages will also suppress the DENY messages caused by unauthorized access so I don't reckon this as a good solution.
In the mean time I had a response from Cisco:
"The changes you note are a result of the new feature known as policy NAT. One of the things we had to do with respect to this feature was change the way the PIX processes incoming packets. We now log inbound packets that have no connections associated with them as being denied by the ACL. Prior to this, they would be denied because of no xlate which the PIX silently dropped (no logs). The 106023 messages can be ignored in most cases if you see a corresponding 302014 message preceeding it.  The corresponding 302014 is level 6  ( Informational ) message and
practically no customer would set syslog message to level 6 or 7 unless in "troubleshooting problem" situation because there would be too many messages logged."
Prior to 6.3.3,  syslog 106015 was used to indicate  the arrival of TCP packets for connections that had been torn down by the PIX. With the Policy NAT feature introduced in 6.3.3, syslog 106023 is now logged to represent this same event.

I have received a patch from Cisco which reverts PIX behavior back to use 106015 instead of 106023.

I'm not allowed the distribute the patch. Cisco Bug ID CSCee27834
0
 

Accepted Solution

by:
modulo earned 0 total points
Comment Utility
PAQed with points refunded (250)

modulo
Community Support Moderator
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Resolve DNS query failed errors for Exchange
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now