Solved

Cisco Firewall ASA5520 Syslog lots of errors showing

Posted on 2011-03-15
5
1,214 Views
Last Modified: 2013-11-29
I have alot of errors showing up on the cisco firewall syslog. i have no idea what it means.
Its coming from two internal ip addresses. something with a broadcast.
could someone tell me what is the cause of it and how do i stop it?

asa-2-106006 local3 critical mar 15 2011 14:31:14: %%asa-2-106006: deny inbound udp from 192.16.1.105/1025 to 192.16.255.255/694 on interface inside  

asa-2-106006 local3 critical mar 15 2011 14:31:14: %%asa-2-106006: deny inbound udp from 192.16.1.103/1025 to 192.16.255.255/694 on interface inside  

Thanks
0
Comment
Question by:mrbrain646
5 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 35141962
deny inbound udp from 192.16.1.105/1025 to 192.16.255.255/694 on interface inside  

There is a host at 192.16.1.105 that is broadcasting to 192.16.255.255.   I would assume that the host is on a 16 bit subnet mask of 255.255.0.0 and that the ASA has its internal interface on the 192.16.x.x network as well.    

Since the ASA's inside interface shares a subnet with end user hosts, you are going to see broadcast traffic.    No getting around it.  

To avoid this, if the client has a layer 3 switch or another router available, I setup a 2 host subnet between the ASA and the switch and let the switch route traffic to the internal VLANs.    So the ASA never sees broadcasts from the internal hosts.      The ASA only needs a route to send traffic internally.

0
 
LVL 5

Accepted Solution

by:
torvir earned 500 total points
ID: 35141963
It seems like you are running linux ha-clusters on the inside LAN. And that it runs in broadcast mode.
If you have linux ha clusters you can change to multicast mode to get rid of the error messages in the firewall.
More info at http://linux-ha.org/wiki/FAQ
 
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 35144974
No matter of the cause of the traffic, it looks weird that that logging message is logged as critical (level 2). It is not that critical and I suggest you to tune it out, and it will probably not be logged any more (depending on your logging settings of course).

Add the following command:
logging message 106006 level 5

Best regards
Kvistofta
0
 
LVL 5

Expert Comment

by:torvir
ID: 35146442
I just want to clearify that if you change the level for message 106006 from 2 to 5, as Kvistofta says, all denied inbound UDP packets will be logged at level 5.
So you don't get critical (level 2) logg messages even for real attempts. They are coming as notifications (level 5).
This could be of importance if you have a monitoring system that alerts only if the logg message is of a certain level.
0
 
LVL 4

Author Closing Comment

by:mrbrain646
ID: 35156959
load balancer set with wrong subnet mask
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question