PIX Firewall Syslog Messages
Posted on 2009-07-07
I was going through our PIX syslogs and noticed that we are getting a large volume of 106015 messages. See example below:
2009-07-06 02:39:42 Lpr.Info 10.10.16.228 %PIX-6-106015: Deny TCP (no connection) from 220.127.116.11/80 to 18.104.22.168/31632 flags ACK on interface outside
Here is Cisco's explanation:
Error Message %PIX-6-106015: Deny TCP (no connection) from IP_address/port to
IP_address/port flags tcp_flags on interface interface_name.
Explanation This message is logged when the firewall discards a TCP packet that has no associated connection in the firewall unit's connection table. The firewall looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the firewall discards the packet.
Recommended Action None required unless the firewall receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.
In our case, we are getting a large volume of these. I would like to know if this is something I should look into further? I am not sure what the best way is to trace the packets from the source to the destination. Is there software that can do this for me? Any recommendations would be appreciated.