Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
852
Views
0
Helpful
1
Replies

False Reporting Deny's on PIX 6.1.

rhanly
Level 1
Level 1

‎07-17-2002 11:22 PM - edited ‎02-20-2020 10:10 PM

Why am I seeing this 3 "Deny"s considering that :

a) The pix should store the state

b) The src/dest should kill the session (1st and 3rd Deny) not the

firewall - unless the state has obviously timed out, which in this case

you

can see with the timestamp, is well within the state timeout

Have a look at this log. How do I cut this down or resolve this.

Jul 17 08:43:02 pix-fw Jul 17 2002 08:45:48: %PIX-6-302001: Built

inbound

TCP connection 1343142 for faddr 5.6.7.8/39570 gaddr 1.2.3.4/25 laddr

1.2.3.4/25

Jul 17 08:43:05 pix-fw Jul 17 2002 08:45:52: %PIX-6-302002: Teardown TCP

connection 1343142 faddr 5.6.7.8/39570 gaddr 1.2.3.4/25 laddr 1.2.3.4/25

duration 0:00:03 bytes 89970 (TCP Reset-O)

Jul 17 08:43:05 pix-fw Jul 17 2002 08:45:52: %PIX-6-106015: Deny TCP (no

connection) from 5.6.7.8/39570 to 1.2.3.4/25 flags RST on interface

outside

Jul 17 08:43:05 pix-fw Jul 17 2002 08:45:52: %PIX-6-106015: Deny TCP (no

connection) from 5.6.7.8/39570 to 1.2.3.4/25 flags RST on interface

outside

Jul 17 08:43:06 pix-fw Jul 17 2002 08:45:53: %PIX-6-106015: Deny TCP (no

connection) from 1.2.3.4/25 to 5.6.7.8/39570 flags FIN PSH ACK on

interface inside

0 Helpful
1 Reply 1

yusuff
Cisco Employee
Cisco Employee

‎07-18-2002 02:42 AM

From the syslog message, it seems that 5.6.7.8 is sending a RESET

%PIX-6-302002: Teardown TCP connection 1343142 faddr 5.6.7.8/39570 gaddr 1.2.3.4/25 laddr 1.2.3.4/25 duration 0:00:03 bytes 89970 (TCP Reset-O)

(see the (TCP RESET-O)

TCP Termination Reasons

Reset-I = Reset was from the inside.

Reset-O = Reset was from the outside.

In cases like this, I would recommend using a sniffer to find out why is 5.6.7.8 is sending a RESET.

Other than that, the 3 DENY logs are clear. Rememer Syslog message 106015 always means that PIX looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection (which the eralier syslog says that your client sent us the RESET and we cleared the connection), the PIX Firewall discards the packet.

HTH

R/Yusuf

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card