Solved: Disable logging of "Implicit Deny"

vincehgov · ‎05-14-2013

Hi All,

My syslog is full of %ASA-4-106023: Deny tcp src outside:---- by access-group "inbound-acl" messages. I did not configure an explict deny for the access list to log these denies.

Can someone explain how I can disable logging of denied connections?

Vince

patoberli · ‎05-15-2013

In this case you could write an abuse message to the ISP of this ip address. A quick whois revealed that it's an IP spaced owned by AT&T: http://whois.arin.net/rest/net/NET-99-0-0-0-1/pft

Write your abuse complaint to abuse@sbcglobal.net and abuse@att.net telling them that this IP is flooding your firewall with unwanted traffic.

View solution in original post

sokakkar · ‎05-16-2013

Hi Vincent,

That tells the story then. If this is unexpected traffic to your server (which I am sure it is, that is why you don't have a permit acl for this), please take this matter up with your ISP and have them mitigate this at their end.

ASA is doing what it is supposed to: dropping the traffic and highlighting thsi to administrator.

-

Sourav

View solution in original post

vincehgov · ‎05-14-2013

TAC had me issue the command "no logging message 106023". Seems to have worked.

patoberli · ‎05-15-2013

You could also try to add a deny ip ip any rule at the end, with the option no logging set. I sadly haven't got the right syntax at hand at the moment.

But in any case I would not disable this, as you can't see now if you get attacked in the logfiles, nor if any service is malfunctioning because of a missed open port.

sokakkar · ‎05-15-2013

Hi Vincent,

This log message is generated because someone is sending traffic which you have not allowed through your ASA. I would suggest that you check the source and destination in log and work towards finding the reason traffic is coming to your ASA.

ASA logging this is a good thing in a way that it keeps you informed about unwanted traffic ending up on your ASA, it also helps in troubleshooting in case something legit is getting denied in logs.

Once you fix the offending traffic, logs will stop anyways.

Else, add following explicit deny rule:

access-list inbound-acl deny ip any any

-

Sourav

vincehgov · ‎05-15-2013

Hi Sourav,

This is coming from the internet. How would you suggest I go about fixing the offending traffic?

Vince

sokakkar · ‎05-15-2013

Vincent,

Can you paste some sample logs? Hide the IP's if you want.

You mentioned that log file is flooded with above log message, is it coming from some specific IP's or from different IP's altogether.

If later, put explicit deny ip any any as I mentioned above. If specific IP's, we can look into it further.

-

Sourav

vincehgov · ‎05-15-2013

Hi Sourav,

I have thousands of the following line:

%ASA-4-106023: Deny tcp src outside:99.32.21.185/60905 dst inside:x.y.z.a/6970 by access-group "inbound-acl" [0x0, 0x0]

It seems to be coming from only one source. 99.32.21.185.

Thanks for your help!

Vince

patoberli · ‎05-15-2013

In this case you could write an abuse message to the ISP of this ip address. A quick whois revealed that it's an IP spaced owned by AT&T: http://whois.arin.net/rest/net/NET-99-0-0-0-1/pft

Write your abuse complaint to abuse@sbcglobal.net and abuse@att.net telling them that this IP is flooding your firewall with unwanted traffic.

sokakkar · ‎05-16-2013

Hi Vincent,

That tells the story then. If this is unexpected traffic to your server (which I am sure it is, that is why you don't have a permit acl for this), please take this matter up with your ISP and have them mitigate this at their end.

ASA is doing what it is supposed to: dropping the traffic and highlighting thsi to administrator.

-

Sourav

vincehgov · ‎05-16-2013

Thats great advice. Thanks guys.