Strange denials in logs

jason.scott · ‎04-24-2007

Just installed some new ASAs to replace our old 520 PIX boxes and I'm seeing some interesting traffic being denied. The traffic originates from various websites (that our users are accessing without difficulties) and is destined for our proxy server. A sample error is included below. I've changed the proxy server address.

4 Apr 24 2007 14:12:06 106023 212.58.227.75 10.1.1.1 Deny tcp src outside:212.58.227.75/80 dst inside:10.1.1.1/59584 by access-group "outside_access_in" [0x0, 0x0]

Its strange because obviously no ACL is required in this setup because any traffic coming back to the proxy server should already be part of an existing conversation. It isn't causing operational issues as far as I can tell but I'd like to understand the messages or suppress them so they don't fill my logs up.

Andrew Yourtchenko · ‎04-24-2007

Those are most probably in-flight residual packets that are denied because the connection on the ASA is already considered closed - so it is treated as a "new session" and hits the default deny in the ACL.

You can enable the "sysopt connection timewait" to have the ASA linger the deleted connections for a while (20 sec), then the syslogs should be gone.

Indeed this will cause a slight increase in the number of connections as seen by "show conn".

If you prefer, you can verify that my assumption is correct by following:

1) collect two captures on inside + outside

2) correlate the captures with the syslogs to see which exactly packets would be dropped.

What you should see in the captures is the very last packet(s) being denied.

jason.scott · ‎04-26-2007

Thank you. Unfortunately despite configuring the timewait command I'm still seeing these denials. I'm not worried about them except they fill my logs.

It would be nice if you could easily filter out certain events from syslogs rather than choose what to include.

ecouto · ‎04-26-2007

Hi Jason,

You can "avoid" that message with the below commands.

conf t

no logging message 106023

wr mem

Cheers,

Emilio

subflava · ‎08-27-2007

Well, if you do the command as you suggest, wouldn't you then not be logging all denies? Wouldn't you then be missing some legitimate denies that aren't related to his problem?

subflava · ‎08-27-2007

Scott,

Let me know if you find anything. I've recently gone through the same PIX --> ASA upgrade and I'm seeing the same issue. Getting a ton of denies on ports 80/443/25, but they don't seem to be causing an operational issue.

I did some checking of the addresses that are showing up and I've noticed that most/all seem to be related to ad-tracking/double-click/web tracking type of traffic. I think that has something to do with it...I wonder if some websites generate these secondary connections from advertising servers which come from a different source than the original website?

chris unger · ‎01-04-2008

I get ~ 20 /sec. The my message is 01-04-2008 16:06:21 Local4.Warning pix.xxx.xxxxx.com Jan 04 2008 15:58:39: %PIX-4-106023: Deny tcp src outside:xxx.xxx.xxx.xxx/29977 dst inside:yyy.yyy.yyy.yyy/25 by access-group "OUTSIDE_ACCESS_IN"

Where yyy.yyy.yyy.yyy is my webserver.

Is this number of these normal?

m.minarini · ‎02-05-2008

I've the same problem in my ASA 5510, version 7.3

There is a fix for this ?

Regards,

Massimo