Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX disallowing new connections

I am using a PIX 501 50 user device and the suddenly the internet started going up and down. Looking at my Syslog entries I found a lot of the following entries:

2006-05-02 18:26:41 Local4.Error 192.168.1.1 %PIX-3-305006: portmap translation creation failed for udp src inside:192.168.1.8/1076 dst outside:XX.XXX.XX.XX/53

2006-05-02 18:26:41 Local4.Error 192.168.1.1 %PIX-3-201008: The PIX is disallowing new connections.

2006-05-02 18:26:41 Local4.Error 192.168.1.1 %PIX-3-305006: portmap translation creation failed for udp src inside:192.168.1.8/1076 dst outside:XX.XXX.XX.XX/53

2006-05-02 18:26:45 Local4.Error 192.168.1.1 %PIX-3-201008: The PIX is disallowing new connections.

2006-05-02 18:26:45 Local4.Error 192.168.1.1 %PIX-3-305006: portmap translation creation failed for udp src inside:192.168.1.13/1066 dst outside:XX.XXX.XX.XX/53

I could not keep it up running so I swapped it out with a 3COM unit. tonight I brought it backup and used PDM to run the startup wizard again and it appears that all is working correct now. Any thoughts on what was going on with the PIX 501. There have never been more than 7 user when checking the user count on the firewall.

Did something just burp as the unit had been up and running for a good while.

Thanks in advance,

Greg

2 REPLIES

Re: PIX disallowing new connections

Hi acroding the the error decoded .. it seems it is related to using a static instruction using a mask other than 255.255.255.255 .. can you email me the output of show run | inc static

I hope the info below helps a bit ... please rate it if it does !!!

1. %PIX-3-305006: {outbound static|identity|portmap|regular) translation creation failed for protocol src interface_name:source_address/source_port dst interface_name:dest_address/dest_port

A protocol (UDP, TCP, or ICMP) failed to create a translation through the security appliance. This message appears as a fix to caveat CSCdr0063 that requested that security appliance not allow packets that are destined for network or broadcast addresses. The security appliance provides this checking for addresses that are explicitly identified with static command statements. With the change, for inbound traffic, the security appliance denies translations for a destined IP address identified as a network or broadcast address. The security appliance does not apply PAT to all ICMP message types; it only applies PAT ICMP echo and echo-reply packets (types 8 and 0). Specifically, only ICMP echo or echo-reply packets create a PAT xlate. So, when the other ICMP messages types are dropped, syslog message 305006 (on the security appliance) is generated. The security appliance utilizes the global IP and mask from configured static command statements to differ regular IP addresses from network or broadcast IP addresses. If the global IP address is a valid network address with a matching network mask, then the security appliance does not create a translation for network or broadcast IP addresses with inbound packets. For example: static (inside,outside) 10.2.2.128 10.1.1.128 netmask 255.255.255.128 Global address 10.2.2.128 is responded to as a network address and 10.2.2.255 is responded to as the broadcast address. Without an existing translation, security appliance denies inbound packets destined for 10.2.2.128 or 10.2.2.255, and logs this syslog message. When the suspected IP is a host IP, configure a separated static command statement with a host mask in front of the subnet static (first match rule for static command statements). The following static causes the security appliance to respond to 10.2.2.128 as a host address: static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.255 static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.128 The translation may be created by traffic started with the inside host with the questioned IP address. Because the security appliance views a network or broadcast IP address as a host IP address with overlapped subnet static configuration, the network address translation for both static command statements must be the same.

Re: PIX disallowing new connections

Some more info ...

1. %PIX-3-201008: The PIX is disallowing new connections.

This message occurs when you have enabled TCP system log messaging and the syslog server cannot be reached, or when using PIX Firewall Syslog Server (PFSS) and the disk on the Windows NT system is full.

Recommended Action: Disable TCP system log messaging. If using PFSS, free up space on the Windows NT system where PFSS resides. Also, make sure that the syslog host is up and you can ping the host from the PIX Firewall console. Then restart TCP system message logging to allow traff

569
Views
0
Helpful
2
Replies