Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

106011 Syslog Messages

I get these all the time:

Sep 19 2002 01:05:37: %PIX-3-106011: Deny inbound (No Xlate) tcp src outside: (some IP address on someone elses network)/80 dst outside:(public nat address on my network/3900

This occurs about every minute or so, and the dst outside port is random in the 3000's range.

Any thoughts?

1 REPLY
New Member

Re: 106011 Syslog Messages

this could be caused by stray or late-arriving ACKs or FINs from server to client at TCP session closure. add "sysopt connection timewait" and see if these messages are reduced.

pix will teardown NATs and inbound connections once it sees the first FIN packet. adding this command makes it wait 15 seconds so the FIN from the other side can come through and the ACK can go back.

102
Views
0
Helpful
1
Replies
CreatePlease login to create content