Re: PIX CPU driven to 100% by ICMP

dopenfield · ‎04-01-2005

While working with a network mapping tool called Intermapper our PIX was pushed to 100% CPU while filling the log with this message excessively:

Denied ICMP type=3, code=3 from 144.bbb.ccc.dd on interface 3

Output packets on interface 3 (facing this IP address) went way up and everything else dropped on other interfaces.

We know Code=3 is port unreachable. And obviously the offending device was sending NUMEROUS requests, but why would the PIX be so affected??

Background we do have our network split and attached to two interfaces on the PIX but are currently permitting all ICMP between these two interfaces.

Patrick Iseli · ‎04-02-2005

I suppose that you have a high logging level "info" and sent all this messages to multiple destinations ?

Please post your logging config:

example:

logging on

logging timestamp

logging buffered errors

logging trap warnings

logging history critical

logging facility 23

logging queue 0

logging host inside 192.168.1.x

Try changing the logging level to "warning" if it is on "info".

Might be also good to disable some ICMP IDS Signatures if you do not really need them and you generate excessive icmp messages.

sincerely

Patrick

dopenfield · ‎04-04-2005

Current logging config :

logging on

logging timestamp

logging console alerts

logging monitor notifications

logging buffered warnings

logging trap warnings

logging history critical

logging facility 23

logging host inside 144.bb.2c.d

Monitor was only set to notifications when we were started investigating this issue.

We have only the one destination to send syslog messages.

I'll look into the ICMP IDS signatures.