Solved

Lots of syslog entries %PIX-4-106023 since PIX upgrade to 6.3(3)

Posted on 2004-03-24
6
566 Views
Last Modified: 2012-06-27
Since I have upgraded our PIX to IOS 6.3(3) the log file is full of entries :
PIX-4-106023: Deny tcp src outside:"Can be any host"/80 dst inside:"proxies PAT address"/34715 by access-group "outside-in"
This was not the case before the upgrade running 6.2(2).
It tells me that traffic is blocked coming from a host port 80 to our proxy server  any port > 1024. This must be traffic related to a connection originaly setup by the proxy. When I look at the translation table I can still see a translation for that specific port and the proxy and the Global address. When I look at the connections I can't see a connection for host/80 <==> proxy/ >1024.(BTW - This is the most likely reason for the entrie in the log)

It looks like the proxy server closed the connection and the pix deleted the entry from the table but the server at the other end still thinks that there is a connection and tries to send traffic back .

Everything works fine as far as the proxy concerns !  

Nothing is changed in the config since the upgrade.

The config is pretty basic, simple nat / pat

global (outside) 100 ProxiesPATaddr netmask 255.255.255.240
nat (inside) 100 proxy 255.255.255.255

What's different between 6.2 and 6.3 ?

Richard
0
Comment
Question by:RichardBol
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10676271
Often times when you open a web page, then quickly move to another site or close out that page, the original server is still sending stuff back to you, but you've moved on to another page and the original request is closed, so the data gets rejected. Perhaps it was a graphic that wasn't loaded before moving on to a new page. 6.3 is quicker at closing the xlate - that's a good thing.
You can always supress that message number if it is filling up the logs.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12353990
My answer is correct. No response from asker makes it no less so.
0
 

Author Comment

by:RichardBol
ID: 12549432
LRMoore's theorie might be correct but suppressing the DENY messages will also suppress the DENY messages caused by unauthorized access so I don't reckon this as a good solution.
In the mean time I had a response from Cisco:
"The changes you note are a result of the new feature known as policy NAT. One of the things we had to do with respect to this feature was change the way the PIX processes incoming packets. We now log inbound packets that have no connections associated with them as being denied by the ACL. Prior to this, they would be denied because of no xlate which the PIX silently dropped (no logs). The 106023 messages can be ignored in most cases if you see a corresponding 302014 message preceeding it.  The corresponding 302014 is level 6  ( Informational ) message and
practically no customer would set syslog message to level 6 or 7 unless in "troubleshooting problem" situation because there would be too many messages logged."
Prior to 6.3.3,  syslog 106015 was used to indicate  the arrival of TCP packets for connections that had been torn down by the PIX. With the Policy NAT feature introduced in 6.3.3, syslog 106023 is now logged to represent this same event.

I have received a patch from Cisco which reverts PIX behavior back to use 106015 instead of 106023.

I'm not allowed the distribute the patch. Cisco Bug ID CSCee27834
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12577493
PAQed with points refunded (250)

modulo
Community Support Moderator
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SSH setup on ASA 5505 17 126
PXE boot for ESXi on CENTOS 7 25 114
MSCS Cluster ignoring route add 1 14
Server Essentials vs Standard 4 23
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question