Solved

Cisco Firewall ASA5520 Syslog lots of errors showing

Posted on 2011-03-15
5
1,223 Views
Last Modified: 2013-11-29
I have alot of errors showing up on the cisco firewall syslog. i have no idea what it means.
Its coming from two internal ip addresses. something with a broadcast.
could someone tell me what is the cause of it and how do i stop it?

asa-2-106006 local3 critical mar 15 2011 14:31:14: %%asa-2-106006: deny inbound udp from 192.16.1.105/1025 to 192.16.255.255/694 on interface inside  

asa-2-106006 local3 critical mar 15 2011 14:31:14: %%asa-2-106006: deny inbound udp from 192.16.1.103/1025 to 192.16.255.255/694 on interface inside  

Thanks
0
Comment
Question by:mrbrain646
5 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 35141962
deny inbound udp from 192.16.1.105/1025 to 192.16.255.255/694 on interface inside  

There is a host at 192.16.1.105 that is broadcasting to 192.16.255.255.   I would assume that the host is on a 16 bit subnet mask of 255.255.0.0 and that the ASA has its internal interface on the 192.16.x.x network as well.    

Since the ASA's inside interface shares a subnet with end user hosts, you are going to see broadcast traffic.    No getting around it.  

To avoid this, if the client has a layer 3 switch or another router available, I setup a 2 host subnet between the ASA and the switch and let the switch route traffic to the internal VLANs.    So the ASA never sees broadcasts from the internal hosts.      The ASA only needs a route to send traffic internally.

0
 
LVL 5

Accepted Solution

by:
torvir earned 500 total points
ID: 35141963
It seems like you are running linux ha-clusters on the inside LAN. And that it runs in broadcast mode.
If you have linux ha clusters you can change to multicast mode to get rid of the error messages in the firewall.
More info at http://linux-ha.org/wiki/FAQ
 
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 35144974
No matter of the cause of the traffic, it looks weird that that logging message is logged as critical (level 2). It is not that critical and I suggest you to tune it out, and it will probably not be logged any more (depending on your logging settings of course).

Add the following command:
logging message 106006 level 5

Best regards
Kvistofta
0
 
LVL 5

Expert Comment

by:torvir
ID: 35146442
I just want to clearify that if you change the level for message 106006 from 2 to 5, as Kvistofta says, all denied inbound UDP packets will be logged at level 5.
So you don't get critical (level 2) logg messages even for real attempts. They are coming as notifications (level 5).
This could be of importance if you have a monitoring system that alerts only if the logg message is of a certain level.
0
 
LVL 4

Author Closing Comment

by:mrbrain646
ID: 35156959
load balancer set with wrong subnet mask
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question