08-19-2011 12:28 AM - edited 03-11-2019 02:14 PM
Recently I've started getting absolutely hundreds of protocol 41 deny alarms on my ASA firewall outside interface. These are flooding my syslog and making it hard to check for other issues that may be going on in our network.
Most are from 94.245.121.x addresses which appear to be owned by Microsoft!
Example
19-08-2011 08:22:34 Local4.Error firewall1 %ASA-3-106010: Deny inbound protocol 41 src internet:94.245.121.211 dst internet:x.x.x.x
Can anyone help me understand these alerts better? Should I be concerned?
Protocol 41 seems to be IPv6 to IPv4 tunneling protocol (6in4).
Thanks
08-19-2011 12:36 AM
Hi,
The message means that the ASA is dropping this connection since it failed a security check. Too many unwanted syslogs can affect other resources like CPU, etc. If you are not aware of the IP address 94.245.121.211, just shun this IP with command "shun 94.245.121.211". This will drop all packets from this source without processing it against any checks.
Hope this helps!
Regards,
Anu
P.S. Please mark this question as answered if it has been resolved. Do rate helpful posts.
08-19-2011 01:17 AM
Thanks for quick reply, but I guess what I'm after is someone to tell me why Microsoft IP addresses are constantly hitting my firewall on protocol 41?
08-19-2011 01:31 AM
Hi,
Do you have a host on the inside that is has an application that uses the 6to4 protocol? It is possible that there is, which requests this kind of traffic or to open ports. I suggest you track down that host and disable the application if you don't need it. Here's a good link:
http://www.ipv6tf.org/index.php?page=using/connectivity/6to4
Hope this helps!
Regards,
Anu
P.S. Please mark this question as answered if it has been resolved. Do rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide