Re: Deny inbound protocol 41

handsy · ‎08-19-2011

Recently I've started getting absolutely hundreds of protocol 41 deny alarms on my ASA firewall outside interface. These are flooding my syslog and making it hard to check for other issues that may be going on in our network.

Most are from 94.245.121.x addresses which appear to be owned by Microsoft!

Example

19-08-2011 08:22:34 Local4.Error firewall1 %ASA-3-106010: Deny inbound protocol 41 src internet:94.245.121.211 dst internet:x.x.x.x

Can anyone help me understand these alerts better? Should I be concerned?

Protocol 41 seems to be IPv6 to IPv4 tunneling protocol (6in4).

Thanks

Anu M Chacko · ‎08-19-2011

Hi,

The message means that the ASA is dropping this connection since it failed a security check. Too many unwanted syslogs can affect other resources like CPU, etc. If you are not aware of the IP address 94.245.121.211, just shun this IP with command "shun 94.245.121.211". This will drop all packets from this source without processing it against any checks.

Hope this helps!

Regards,

Anu

P.S. Please mark this question as answered if it has been resolved. Do rate helpful posts.

handsy · ‎08-19-2011

Thanks for quick reply, but I guess what I'm after is someone to tell me why Microsoft IP addresses are constantly hitting my firewall on protocol 41?

Anu M Chacko · ‎08-19-2011

Hi,

Do you have a host on the inside that is has an application that uses the 6to4 protocol? It is possible that there is, which requests this kind of traffic or to open ports. I suggest you track down that host and disable the application if you don't need it. Here's a good link:

http://www.ipv6tf.org/index.php?page=using/connectivity/6to4

Hope this helps!

Regards,

Anu

P.S. Please mark this question as answered if it has been resolved. Do rate helpful posts.