cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

566
Views
0
Helpful
4
Replies
Highlighted
Beginner

106001 syslog events for internal hosts

I've just taken over a new network with a Cisco ASA5520. Everything is working fine, except I am being bombarded with 106001 alerts from a few internal hosts to one specific internal host. The description in general is "Inbound TCP connection denied from 10.1.0.1 to 10.1.0.5 - both of those are valid internal hosts and the TCP ports are also valid. I tried looking at the log and getting it me to tell me which rule was causing these alerts, but it just came back with 'It's not possible for these type of alerts'

I have three questions:

- How is it possible for the ASA to even pick up on this when, in theory, the source host wouldn't be going near the ASA since it's on the same subnet?

- What might be causing this?

- How can I turn it off!! (I guess that'd be fixed by point 2)

Thanks

Richard

4 REPLIES 4
Highlighted
Advocate

106001 syslog events for internal hosts

Hi Richard,

This log would be generated whenever the connection is denied due to any reason by the firewall, could be anything, access-rule. So you see them in the logs. If you want to turn them off, you can use the command:

no logging message 106001

They might be valid hosts but according to rules defined on firewall they might not be allowed to talk to eachother.

this would help you:

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/system/message/logmsgs.html#wp4768860

Hope this helps,

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Highlighted
Beginner

106001 syslog events for internal hosts

I believe an incorrect subnet mask on one or more of the internal hosts could cause this error to show up.

Highlighted
Beginner

106001 syslog events for internal hosts

Thanks for the advice guys.

Varun, I understand that the log would appear due to access-rules etc... but I don't understand how/why the firewall is getting in on the act when both hosts are on the same LAN? The host isn't going to send packets to the firewall, rather broadcast to the switches and wait for a reply. I could use the link, it wanted me to login and my details wouldn't work.

Tom, I've checked for subnet settings, but they look fine. It would have be nice for it to have been that simple!

Any other advice would be welcome. I'd rather not turn off the alert, I know it's not doing any damage but something isn't quite right!

Highlighted
Advocate

106001 syslog events for internal hosts

Hi Richard,

Then it could be one of the following issues:

If you have the same subnet being defined on any other interface on the firewall

or if you ahve any static statement being configured for it.

Could you provide a show run from the firewall??

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC