%PIX-3-313001: Denied ICMP type=3, code=3 from 155.229.56.214 on interface 0

jstewart73 · ‎07-11-2011

I've had this line 2 consective times in the log and then immediately afterwards the PIX cuts off the internet. Is it possible after so many denied ICMPs it does this? Is there some threshold the PIX reaches and then causing the internet traffic to stop?

varrao · ‎07-11-2011

Hi Ja,

Could you please provide a config from the firewall. If these logs incraese exp[onentially on the PIX, it would increase the CPU usage and that would definietly impact the traffic.

When using the icmp command with an access list, if the first matched entry
is a permit entry, the ICMP packet continues processing. If the first matched entry is a
deny entry or an entry is not matched, the firewall discards the ICMP packet and generates
this syslog message. The icmp command enables or disables pinging to an interface. With
pinging disabled, the firewall cannot be detected on the network. This feature is also
referred to as configurable proxy pinging.

I would like to have a look at the configuration or you can provide the output of "show icmp"

Thanks,
Varun

Thanks,
Varun Rao

jstewart73 · ‎07-11-2011

This is all it showed when running show icmp:

icmp permit any echo-reply outside

Anu M Chacko · ‎07-11-2011

Hi Ja,

Could you monitor the CPU when these messages are logged? It is possible that the CPU gets busy processing these syslogs, especially if you've configured a syslog server which is not yet available and the normal traffic is dropped. Could you tell me what IP 155.229.56.214 is?

Regards,

Anu

jstewart73 · ‎07-11-2011

I'm not sure how to monitor the CPU? I'm also not aware what this IP is... All I know it comes out of CA from megapath.net.

varrao · ‎07-11-2011

Hi Ja,

To monitor the CPU usage, you can use the "Show cpu" command when the issue occurs. Can u provide the config as well???

Varun

Thanks,
Varun Rao