Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Weird logging in my pix logs - not sure If this is a problem

I get this error in my firewall logs:

Feb 26 15:32:49 firewall %PIX-6-106015: Deny TCP (no connection) from

161.58.238.151/110 to a.b.c.d/3782 flags RST ACK on interface outside

Is this telling me that my connection timeout or is someone trying to hack me?

thanks

Jenn

5 REPLIES
Silver

Re: Weird logging in my pix logs - not sure If this is a problem

That looks like your user at a.b.c.d tried making a pop3 (tcp port 110 connection) to that server. That server, or its firewall replied that it doesn't offer that service, by ACKnologing the packet and ReSeTting the connection.

At syslog level 6 (i.e, PIX-6-xxxxxxx), you will see events for just about all connection attempts. The real security event stuff typically is at level 3 and 4. Critical pix system level stuff is at 1 and 2.

New Member

Re: Weird logging in my pix logs - not sure If this is a problem

Thanks. Do you know if there is a way to log 1, 2 and 4? I would like to see warnings so I know what's going on.

Cisco Employee

Re: Weird logging in my pix logs - not sure If this is a problem

You can't specfically log just levels 1, 2 and 4. If you log at level 4 then you'll get 1-4, that's the only way to do it.

New Member

Re: Weird logging in my pix logs - not sure If this is a problem

If you run the full version of Kiwi syslog daemon, you can specify which level are to be displayed, logged to file etc.

Re: Weird logging in my pix logs - not sure If this is a problem

What you can do is set your logging to what ever level you want, then disable the logging for specific messages you don't want. Use the 'no logging message' command to suppress a syslog message. Use the 'clear logging disabled' command to reset the disallowed messages to the original set. Use the 'show message disabled' command to list the suppressed messages.

Downside is that the list of messages can get long.

eg.

logging trap informational

no logging message 106015

no logging message 105004

no logging message 309002

no logging message 305012

no logging message 303002

no logging message 302015

no logging message 111005

no logging message 609001

no logging message 302016

Hope it helps.

Steve

139
Views
0
Helpful
5
Replies