Re: Continous deny hits in FWSM even though access A

mustafa.papdheen · ‎04-16-2011

Hi,

We are seeing continous deny hits from one source to one destination on port 514 even though access is allowed in FWSM. Below is the logs

Apr 10 04:51:57 10.132.48.1 Apr 10 2011 04:51:57 JEDDCSFFWSM01 : %FWSM-4-106023: Deny udp src DMZ50:source IP/32799 dst DMZ40:destination ip/514 by access-group "DMZ50" [0x0, 0x0]

Can you help us?

Regards

Babu

Shrikant Sundaresh · ‎04-16-2011

Hi Babu,

Please check the access-list applied on the DMZ50 interface. It should permit udp to destination_ip:514.

It would be difficult to diagnose without the actual config as to what is wrong.

Could you please share the security-level of the DMZ50 and DMZ40 interface?

What nat rules are there between these two interfaces, either for the sourceip or the destinationip?

-Shrikant

mustafa.papdheen · ‎04-17-2011

Hi Srikanth,

Security level for DMZ40 is 45 and DMZ50 is 50 and we are not using any NATing on this device(FWSM). Access list is there from this source to destination for UDP 514 port.

Regards

Papdheen M

mirober2 · ‎04-18-2011

Hi Mustafa,

I would suggest trying to move the ACE that permits this traffic to line 1 of the DMZ50 access-list and then allowing the ACL to re-compile. Perhaps there is a line higher above it that is denying the traffic before it gets to your permit rule.

-Mike

Continous deny hits in FWSM even though access is allowed