Firewall log interpretation.

Unanswered Question
Mar 5th, 2008

Hello All,

I just installed my ASA 5505 and the firewall log showed that it denied a connection from Ip address every second. Please see the attached file.

What does the log message indicate and how to stop

ip address from attacking my ASA.

Thank you for your help!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
brettmilborrow Wed, 03/05/2008 - 14:36

do you have an icmp policy configured on your asa?

Try the following to check:

sh run | grep icmp

w-asaadmin Thu, 03/06/2008 - 06:53


Here is the output:

ASA-ST# sh run | grep icmp

icmp unreachable rate-limit 1 burst-size 1

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

brettmilborrow Thu, 03/06/2008 - 08:07

The icmp type and code is the clue here, Type 11 code 0 = Time to Live exceeded in Transit.

This generally points to a routing loop in a path to a particular host. However, these blocked packets could be response packets to an outbound traceroute test.

brettmilborrow Thu, 03/06/2008 - 08:20

Well, I would check to see if someone was trying a traceroute test at the time.

It all depends if you want to allow traceroutes out of your network. If not, do nothing, your firewall is working as it should.

If you do, you will need to allow the icmp packets back into your network using an ACL.


This Discussion