excessive dropped packets

Unanswered Question
Nov 1st, 2007
User Badges:
  • Silver, 250 points or more


i activated syslog in my PIX.

i am receiving many syslog msg in this format:

deny tcp source outside:PBIP/80 dest inside:MyPBIP/rndport

where PBIP is a public IP and MyPBIP is the public IP of my external interface in PIX.

they seems to be like data packets coming from web servers. they should pass and come to internal clients.

some PBIP belong to yahoo or google, so they do noy seems to be like an attack if we are sure they r not spoofed.

but why pix drops this packets? do they arrive late so it considers them out of connection?

any comment? thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
lgijssel Thu, 11/01/2007 - 02:32
User Badges:
  • Red, 2250 points or more

Your guess that these packets are "too late" is in fact correct. This kind of traffic is only allowed-in as long as a dynamic nat translation exists. When the conection is idle for some time, the translation entry is removed by the PIX and further traffic is denied.

Likely these are updates from pages with dynamic content or so where the webserver has not received a disconnect message from the client.




This Discussion