12-12-2005 12:03 PM - edited 02-21-2020 12:35 AM
I keep getting syslog messages like this:
Dec 12 2005 11:18:22: %PIX-4-106023: Deny tcp src outside:70.245.59.93/80 dst inside:67.67.242.130/23443 by access-group "CSM-acl-outside
And LOTS of them. From a bunch of different IP addresses. I really can't pin down the problem. Anyone have any ideas?
Thanks.
Sonny
12-13-2005 03:06 AM
Hi
This is an informative message indicative of access tries from the outside ip address.
It will be there though u havent enabled any log for the same.
regds
12-13-2005 05:35 AM
Looks like replies from web requests where the stateful session has timed out, so the outside access list drops it.
Did you do anything immediately prior to these messages?
If you issued a 'clear xlate' just before it would have the same effect.
12-13-2005 06:53 AM
Cisco TAC says it is this:
http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCee27834&Submit=Search
Just thought I'd let you know. Thanks.
Sonny
03-01-2006 09:39 AM
I had the same problem.
This is happening because the outgoing connection to some webservers are being closing by the client.
After that, when some packets that was traveling before the outside webserver received the tcp-reset arrives at pix, pix logs error 106023.
The TAC link previouly posted is exacly what is happening. I just post this comment to better understand when it happens.
I'm with a TAC case related to the same problem, and I hope cisco reconsider this BUG to version 7.x versions too, and soon, fix it.
03-14-2006 10:00 AM
I am receiving the 106023 msgs on a PIX525 7.0.4 box.
Are there any resolutions or work arounds to stop this behavior.
thanks, chuck
06-05-2006 06:46 AM
I am having the same symptoms here; however, I think in my case it is related to Websense web filtering...
I am using Websense in standalone mode, so the client actually sends the request directly to the web server, and Websense only interfers when a rule is met (sends a reset to the web server).
03-14-2006 12:23 PM
I would guess that on your pix you have an acl for CSM-acl-outside. The Pix is doing it's job blocking un wanted traffic. I will take a random guess that your using a CSM module of some sort..? is the above ACL on interface thats www facing ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: