Cisco Support Community
Community Member

PIX and Content Engine

I am trying to install a content engine, CE560, and every time that I start to use it, the PIX syslog messages increase by about 500%. Most of the extra messages concern denied connections from outside addresses with a source port of 80 and all destined for the CE-560. Users are still able to surf the web, but we get a ton of these messages.

%PIX-6-106015: Deny TCP (no connection) from w.x.y.z/80 to a.b.c.d/18825 flags PSH ACK on interface outside

Community Member

Re: PIX and Content Engine

According to the docs the above syslog message description

Explanation This message is logged when the PIX Firewall discards a TCP packet that has no associated connection in the PIX Firewall unit's connection table. PIX Firewall looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the PIX Firewall discards the packet.

Action None required unless the PIX Firewall receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.

The content engines connections are being closed after the tcp session is done and removed from the connection table on the pix and the www server being visited is sending what ever flag is set in the syslog message. Most of these will probably have RST ACK or FIN ACK. The www server is acknowledging a RST request or FIN request but the conneciton entry on the firewall has already been removed so the firewall drops that packet and logs the above message.

CreatePlease to create content