Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX upgrade to 6.2(3) causes surge of syslog 106023 msgs.

PIX software upgrade from 6.2(1) to 6.3(2) resulted in over 40-fold increase in syslog 106023 messages triggered by connection attempts from external hosts on 80/tcp to ports > 1023 on external PAT IP address. From packet capture, messages appear to be triggered by HTTP sessions from remote web servers back to internal clients after outbound session termination from internal client.

10 REPLIES
Cisco Employee

Re: PIX upgrade to 6.2(3) causes surge of syslog 106023 msgs.

It could very likely be a coincidence that this is happening after the upgrade..

It could also be intrusion/hacking event. Is the messages from the same source address, this should confirm if someone is trying to attempt a foot printing or port scanning your IP range(s).

Regards

Yusuf

New Member

Re: PIX upgrade to 6.2(3) causes surge of syslog 106023 msgs.

Thanks, but that was the first thing I ruled out.

Gold

Re: PIX upgrade to 6.2(3) causes surge of syslog 106023 msgs.

Hi -

Message Code %PIX-4-106023

Severity Warning (Warning condition)

Example Deny protocol src [inbound-interface]:[src_address/src_port] dst outbound-interface:dst_address/dst_port [type {type}, code {code}] by access_group access-list-name

Explanation An IP packet was denied by the access-list.

Action Change permission of access-list if a permit policy is desired. If messages persist from the same source address, messages could indicate a foot printing or port scanning attempt. Contact the remote host administrator.

If you are seeing %PIX-4-106023 then from past experience, check that your ACL's have apporiate access-group command associated with them i.e. If you inside ACL's then you should have command: access-group inside in interface inside, and for outside: access-group outside in interface outside.

Hope this helps -

New Member

Re: PIX upgrade to 6.2(3) causes surge of syslog 106023 msgs.

Thanks, but that was the first thing I ruled out.

New Member

Re: PIX upgrade to 6.2(3) causes surge of syslog 106023 msgs.

Hi! Did you figure out what it is? I have the same thing. Thanks

Re: PIX upgrade to 6.2(3) causes surge of syslog 106023 msgs.

Hi,

The changes you note are a result of the new feature known as policy NAT. One of the things we had to do with respect to this feature was change the way the PIX processes incoming packets. We now log inbound packets that have no connections associated with them as being denied by the ACL. Prior to this, they would be denied because of no xlate which the PIX silently dropped (no logs). The 106023 messages can be ignored in most cases if you see a corresponding 302014 message preceeding it. Hope this helps.

Scott

New Member

Re: PIX upgrade to 6.2(3) causes surge of syslog 106023 msgs.

Thanks for your response! I do not have any 302014 messages at all. I do have 106023 even for cisco forum. Why is there a new session initiated from remote port 80 to the computer with the browser running?

Re: PIX upgrade to 6.2(3) causes surge of syslog 106023 msgs.

Can you post an example of some that you are seeing?

And the most likely reason you do not have the 302014 messages is because you are not logging at a high enough level. The 302014 messages are suppressed below level 6.

Scott

New Member

Re: PIX upgrade to 6.2(3) causes surge of syslog 106023 msgs.

Those are errors for cisco forum:

01-05-2004 11:05:11 Local4.Warning 192.168.2.1 %PIX-4-106023: Deny tcp src outside:204.69.199.39/80 dst inside:10.0.64.30/4756 by access-group "acl_out"

01-05-2004 11:05:11 Local4.Warning 192.168.2.1 %PIX-4-106023: Deny tcp src outside:204.69.199.39/80 dst inside:10.0.64.30/4756 by access-group "acl_out"

01-05-2004 11:05:11 Local4.Warning 192.168.2.1 %PIX-4-106023: Deny tcp src outside:204.69.199.39/80 dst inside:10.0.64.30/4756 by access-group "acl_out"

01-05-2004 11:05:12 Local4.Warning 192.168.2.1 %PIX-4-106023: Deny tcp src outside:204.69.199.39/80 dst inside:10.0.64.30/4759 by access-group "acl_out"

01-05-2004 11:05:12 Local4.Warning 192.168.2.1 %PIX-4-106023: Deny tcp src outside:204.69.199.39/80 dst inside:10.0.64.30/4759 by access-group "acl_out"

01-05-2004 11:05:12 Local4.Warning 192.168.2.1 %PIX-4-106023: Deny tcp src outside:204.69.199.39/80 dst inside:10.0.64.30/4759 by access-group "acl_out"

01-05-2004 11:05:12 Local4.Warning 192.168.2.1 %PIX-4-106023: Deny tcp src outside:204.69.199.39/80 dst inside:10.0.64.30/4759 by access-group "acl_out"

Once again, why is there a communication like that? Also, what is 302014 message? Thanks.

New Member

Re: PIX upgrade to 6.2(3) causes surge of syslog 106023 msgs.

I also have seen that but somewhat ignored it.

128
Views
0
Helpful
10
Replies