Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
967
Views
0
Helpful
4
Replies

106001 syslog events for internal hosts

slipgateuk
Level 1
Level 1

‎07-27-2011 09:05 AM - edited ‎03-11-2019 02:04 PM

I've just taken over a new network with a Cisco ASA5520. Everything is working fine, except I am being bombarded with 106001 alerts from a few internal hosts to one specific internal host. The description in general is "Inbound TCP connection denied from 10.1.0.1 to 10.1.0.5 - both of those are valid internal hosts and the TCP ports are also valid. I tried looking at the log and getting it me to tell me which rule was causing these alerts, but it just came back with 'It's not possible for these type of alerts'

I have three questions:

- How is it possible for the ASA to even pick up on this when, in theory, the source host wouldn't be going near the ASA since it's on the same subnet?

- What might be causing this?

- How can I turn it off!! (I guess that'd be fixed by point 2)

Thanks

Richard

Labels:
0 Helpful
4 Replies 4

varrao
Level 10
Level 10

‎07-27-2011 09:15 AM

Hi Richard,

This log would be generated whenever the connection is denied due to any reason by the firewall, could be anything, access-rule. So you see them in the logs. If you want to turn them off, you can use the command:

no logging message 106001

They might be valid hosts but according to rules defined on firewall they might not be allowed to talk to eachother.

this would help you:

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/system/message/logmsgs.html#wp4768860

Hope this helps,

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

tomsutherland
Level 1
Level 1

‎07-27-2011 09:15 AM

I believe an incorrect subnet mask on one or more of the internal hosts could cause this error to show up.

0 Helpful

slipgateuk
Level 1
Level 1

‎08-01-2011 05:18 AM

Thanks for the advice guys.

Varun, I understand that the log would appear due to access-rules etc... but I don't understand how/why the firewall is getting in on the act when both hosts are on the same LAN? The host isn't going to send packets to the firewall, rather broadcast to the switches and wait for a reply. I could use the link, it wanted me to login and my details wouldn't work.

Tom, I've checked for subnet settings, but they look fine. It would have be nice for it to have been that simple!

Any other advice would be welcome. I'd rather not turn off the alert, I know it's not doing any damage but something isn't quite right!

0 Helpful

varrao
Level 10
Level 10
In response to slipgateuk

‎08-01-2011 05:27 AM

Hi Richard,

Then it could be one of the following issues:

If you have the same subnet being defined on any other interface on the firewall

or if you ahve any static statement being configured for it.

Could you provide a show run from the firewall??

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card