Re: PIX upgrade to 6.2(3) causes surge of syslog 106023 msgs.

trankin · ‎08-08-2003

PIX software upgrade from 6.2(1) to 6.3(2) resulted in over 40-fold increase in syslog 106023 messages triggered by connection attempts from external hosts on 80/tcp to ports > 1023 on external PAT IP address. From packet capture, messages appear to be triggered by HTTP sessions from remote web servers back to internal clients after outbound session termination from internal client.

yusuff · ‎08-10-2003

It could very likely be a coincidence that this is happening after the upgrade..

It could also be intrusion/hacking event. Is the messages from the same source address, this should confirm if someone is trying to attempt a foot printing or port scanning your IP range(s).

Regards

Yusuf

trankin · ‎08-11-2003

Thanks, but that was the first thing I ruled out.

jmia · ‎08-11-2003

Hi -

Message Code %PIX-4-106023

Severity Warning (Warning condition)

Example Deny protocol src [inbound-interface]:[src_address/src_port] dst outbound-interface:dst_address/dst_port [type {type}, code {code}] by access_group access-list-name

Explanation An IP packet was denied by the access-list.

Action Change permission of access-list if a permit policy is desired. If messages persist from the same source address, messages could indicate a foot printing or port scanning attempt. Contact the remote host administrator.

If you are seeing %PIX-4-106023 then from past experience, check that your ACL's have apporiate access-group command associated with them i.e. If you inside ACL's then you should have command: access-group inside in interface inside, and for outside: access-group outside in interface outside.

Hope this helps -

trankin · ‎08-11-2003

Thanks, but that was the first thing I ruled out.

amsherman · ‎01-05-2004

Hi! Did you figure out what it is? I have the same thing. Thanks

scoclayton · ‎01-05-2004

Hi,

The changes you note are a result of the new feature known as policy NAT. One of the things we had to do with respect to this feature was change the way the PIX processes incoming packets. We now log inbound packets that have no connections associated with them as being denied by the ACL. Prior to this, they would be denied because of no xlate which the PIX silently dropped (no logs). The 106023 messages can be ignored in most cases if you see a corresponding 302014 message preceeding it. Hope this helps.

Scott

amsherman · ‎01-05-2004

Thanks for your response! I do not have any 302014 messages at all. I do have 106023 even for cisco forum. Why is there a new session initiated from remote port 80 to the computer with the browser running?

scoclayton · ‎01-05-2004

Can you post an example of some that you are seeing?

And the most likely reason you do not have the 302014 messages is because you are not logging at a high enough level. The 302014 messages are suppressed below level 6.

Scott

amsherman · ‎01-05-2004

Those are errors for cisco forum:

01-05-2004 11:05:11 Local4.Warning 192.168.2.1 %PIX-4-106023: Deny tcp src outside:204.69.199.39/80 dst inside:10.0.64.30/4756 by access-group "acl_out"

01-05-2004 11:05:12 Local4.Warning 192.168.2.1 %PIX-4-106023: Deny tcp src outside:204.69.199.39/80 dst inside:10.0.64.30/4759 by access-group "acl_out"

Once again, why is there a communication like that? Also, what is 302014 message? Thanks.

apriore685 · ‎01-13-2004

I also have seen that but somewhat ignored it.