Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
271
Views
0
Helpful
3
Replies

log Pix's anomaly

sercopi
Level 1
Level 1

‎01-21-2005 08:20 AM - edited ‎02-20-2020 11:53 PM

Good evening are few days that i see in the log file of my Pix firewall some strange record, now explain the threath.

In one DMZ have applied an ACL that said:

access-list acl_dmz-col permit tcp any any eq www

and an access group that said:

access-group acl_dmz-col in interface dmz-col

This to place in permit every http session, but in my log I find:

Deny tcp src dmz-col:my IP network/80 dst outside:internet pubblic IP/any by access-group "acl_dmz-col"

I hope i can explain exactly my problem, what happens for you?

Best Regards

Davide

0 Helpful
3 Replies 3

sercopi
Level 1
Level 1

‎01-22-2005 03:34 AM

Good morning about my case I want specify a plus information to succesfully explain, below you can find information as is:

#sh ver

Cisco PIX Firewall Version 6.3(3)

If someone want other information to troubleshooting the case don't esitate to write me, any information that you can send me are welcomed.

Best Regards

Davide

0 Helpful

garethhinton
Level 1
Level 1

‎01-22-2005 04:06 PM

Guessing a little here:

The packets have a source of port 80, so these are replies from your web server to devices outside.

Sometimes this is caused by web server on the DMZ responding to clients outside after the session has timed out of the state table, for some reason.

I have seen this with web servers struggling to talk to back end SQL servers then responding late (once the session has timed out), but also just after a reboot of the pix, or a clear xlate (events which clear the session table).

I've had a blank and can't remember the default timeout. 5 minutes rings a bell.

Maybe do some sniffing to watch the sessions, see if you really do have sessions taking that long.

0 Helpful

sercopi
Level 1
Level 1
In response to garethhinton

‎01-25-2005 03:23 AM

Good morning thank's very much garethhinton for your probably reason about my http session problem.

With your input now we will verify the code of the pages that are edit by the web server (to find if for someone reason it make http replies over the http session timeout of the Pix), and in conjuction we will sniff this http sessions to find information about this delay.

Another question, i think that I don't have http session timeout in my Pix configuration below you can see:

arp timeout 14400

timeout xlate 0:10:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:03:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

Thanks very much for your interesting, any information that you can send me are welcomed.

Best Regards

sercopi

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card