Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

excessive smb deny logs in webhosting environment

We've deployed two pixes in a failover configuration and placed them in front of a farm of webservers. The servers generate some 20 Mbit of traffic at peak times, many different sites are hosted in this webfarm.

Pretty much all traffic that is allowed to go the farm of servers is port 80 traffic, with a number of exceptions. This works well.

Ever since the installation, we're seeing - a lot of - log messages like the following in our syslog (anonymized for privacy of end users):

Jun 4 13:01:16 inside.fw1.xxxxxxxx.net %PIX-4-106023: Deny udp src outside:xxx.xxx.95.103/137 dst inside:xxx/137 by access-group "acl-outside"

Jun 4 13:01:17 inside.fw1.xxxxxxxx.net %PIX-4-106023: Deny udp src outside:xxx.xxx.107.104/137 dst inside:xxx/137 by access-group "acl-outside"

We see approximately 3 of these messages every five seconds from totally random sources and we have seen them since months and months.

Obviously it is 'a good thing'(tm) that the PIXes are blocking this traffic. I'm still not too sure what is causing these messages. Possibly some webbrowser implementations send a netbios packet before opening a http connection or so... It would be nice if someone could comment on the cause.

Next question, is it possible to not log specific types of denied traffic ??

Many thanks for your help.

Frans

3 REPLIES
New Member

Re: excessive smb deny logs in webhosting environment

PIX-4-106023 means "An IP packet was denied by the access-list " acl_outside.

"Change permission of access-list if a permit policy is desired. If the messages persist from the same source address, messages could indicate a foot printing or port scanning attempt. Contact the remote host administrator".

You can use the "no logging message 106023"command to suppress the above message (not advisable) or replace the number with one you like. You can input many.

You can download the Cisco PIX System Log Messageslist from .

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/syslog/

New Member

Re: excessive smb deny logs in webhosting environment

I'm not intending to disable loggin of the 106023 message completely. I was just hoping to be able to disable any udp port 137 logs, or to discover the cause of the udp port 137 messages.... this cannot be an attack as the messages keep coming in continually from random sources ever since the installation.

I'm assuming that some version of some web browser does a netbios connect before it tries to request a webpage, but I just can't get my hands on it. I'll be installing v6.2 in an upcoming maintenance window and hope to be able to use the new 'tcpdump' feature to find out what is in these packets...

thanks!

Frans

New Member

Re: excessive smb deny logs in webhosting environment

The requests to port 137 are used by netbios for name resolution. I have an application that processes syslogs and if DNS fails to resolve the host name of a remote device it will attempt to identify the host using netbios.

As far as I know you can only supress logging by message number.

Ron

93
Views
0
Helpful
3
Replies