Solved

Cisco Firewall ASA5520 Syslog lots of errors showing

Posted on 2011-03-15
5
1,228 Views
Last Modified: 2013-11-29
I have alot of errors showing up on the cisco firewall syslog. i have no idea what it means.
Its coming from two internal ip addresses. something with a broadcast.
could someone tell me what is the cause of it and how do i stop it?

asa-2-106006 local3 critical mar 15 2011 14:31:14: %%asa-2-106006: deny inbound udp from 192.16.1.105/1025 to 192.16.255.255/694 on interface inside  

asa-2-106006 local3 critical mar 15 2011 14:31:14: %%asa-2-106006: deny inbound udp from 192.16.1.103/1025 to 192.16.255.255/694 on interface inside  

Thanks
0
Comment
Question by:mrbrain646
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 35141962
deny inbound udp from 192.16.1.105/1025 to 192.16.255.255/694 on interface inside  

There is a host at 192.16.1.105 that is broadcasting to 192.16.255.255.   I would assume that the host is on a 16 bit subnet mask of 255.255.0.0 and that the ASA has its internal interface on the 192.16.x.x network as well.    

Since the ASA's inside interface shares a subnet with end user hosts, you are going to see broadcast traffic.    No getting around it.  

To avoid this, if the client has a layer 3 switch or another router available, I setup a 2 host subnet between the ASA and the switch and let the switch route traffic to the internal VLANs.    So the ASA never sees broadcasts from the internal hosts.      The ASA only needs a route to send traffic internally.

0
 
LVL 5

Accepted Solution

by:
torvir earned 500 total points
ID: 35141963
It seems like you are running linux ha-clusters on the inside LAN. And that it runs in broadcast mode.
If you have linux ha clusters you can change to multicast mode to get rid of the error messages in the firewall.
More info at http://linux-ha.org/wiki/FAQ
 
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 35144974
No matter of the cause of the traffic, it looks weird that that logging message is logged as critical (level 2). It is not that critical and I suggest you to tune it out, and it will probably not be logged any more (depending on your logging settings of course).

Add the following command:
logging message 106006 level 5

Best regards
Kvistofta
0
 
LVL 5

Expert Comment

by:torvir
ID: 35146442
I just want to clearify that if you change the level for message 106006 from 2 to 5, as Kvistofta says, all denied inbound UDP packets will be logged at level 5.
So you don't get critical (level 2) logg messages even for real attempts. They are coming as notifications (level 5).
This could be of importance if you have a monitoring system that alerts only if the logg message is of a certain level.
0
 
LVL 4

Author Closing Comment

by:mrbrain646
ID: 35156959
load balancer set with wrong subnet mask
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question