04-01-2005 02:01 PM - edited 02-21-2020 12:03 AM
While working with a network mapping tool called Intermapper our PIX was pushed to 100% CPU while filling the log with this message excessively:
Denied ICMP type=3, code=3 from 144.bbb.ccc.dd on interface 3
Output packets on interface 3 (facing this IP address) went way up and everything else dropped on other interfaces.
We know Code=3 is port unreachable. And obviously the offending device was sending NUMEROUS requests, but why would the PIX be so affected??
Background we do have our network split and attached to two interfaces on the PIX but are currently permitting all ICMP between these two interfaces.
04-02-2005 07:45 AM
I suppose that you have a high logging level "info" and sent all this messages to multiple destinations ?
Please post your logging config:
example:
logging on
logging timestamp
logging buffered errors
logging trap warnings
logging history critical
logging facility 23
logging queue 0
logging host inside 192.168.1.x
Try changing the logging level to "warning" if it is on "info".
Might be also good to disable some ICMP IDS Signatures if you do not really need them and you generate excessive icmp messages.
sincerely
Patrick
04-04-2005 05:27 AM
Current logging config :
logging on
logging timestamp
logging console alerts
logging monitor notifications
logging buffered warnings
logging trap warnings
logging history critical
logging facility 23
logging host inside 144.bb.2c.d
Monitor was only set to notifications when we were started investigating this issue.
We have only the one destination to send syslog messages.
I'll look into the ICMP IDS signatures.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide