Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
269
Views
0
Helpful
1
Replies

6.3.3 stops accepting connections

jdepies
Level 1
Level 1

‎05-19-2004 08:29 PM - edited ‎03-09-2019 07:26 AM

Hello,

506 unit running 6.3.3. I noticed since installing 6.3.3, that everytime I reboot my SysLog server, the PIX starts throwing these errors, and refuses any outbound traffic:

201008: The PIX is disallowing new connections.

305006: portmap translation creation failed for udp src inside:10.1.1.3/1035 dst outside:192.36.148.17/53

I have looked these errors up, and the 201 error does reference the syslog server being down, but why would this affect the PIXs ability to accept traffic?

It does not make sense to me that just because my syslog server is not accessible, the pix should stop working. The only way I can get the PIX to come back up, is to reload it.

I have attached my config. Please let me know whats going on.

Thanks

Jeff

Labels:
Preview file
4 KB
0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎05-19-2004 10:21 PM

This is by design and entirely expected since you're using TCP to talk to your syslog server. The command reference for the logging command has the following:

---------------------------------------------------

Troubleshooting

If you are using TCP as the logging transport protocol, the PIX Firewall stops passing traffic as a security measure if any of the following error conditions occur: the PIX Firewall is unable to reach the syslog server; the syslog server is misconfigured (such as with PFSS, for example); or the disk is full. (UDP-based logging does not prevent the PIX Firewall from passing traffic if the syslog server fails.)

To enable the PIX Firewall to pass traffic again, do the following:

Step 1 Identify and correct the syslog server connectivity, misconfiguration, or disk space error condition.

Step 2 Enter the command logging host inside 10.1.1.1 tcp/1468 to enable the logging again.

Alternately, you can change the logging to default logging on UDP/514 by issuing the command logging host inside 10.1.1.1. UDP-based logging passes traffic even if the syslog server fails.

---------------------------------------------------

This is by design and one of the security features of the PIX. Basically, if you're serious enough about using TCP for your syslogging, then if the PIX can't log it, don't allow it through. If you don't want this feature, just use UDP for your syslogging and you won't run into this problem. The following commands should do the trick for you:

no logging host inside 10.1.1.3 6/1470

logging host inside 10.1.1.3

Of course make sure your syslog server is set up to accept messages received via UDP.

0 Helpful
Customers Also Viewed These Support Documents