I keep getting syslog messages like this:
Dec 12 2005 11:18:22: %PIX-4-106023: Deny tcp src outside:188.8.131.52/80 dst inside:184.108.40.206/23443 by access-group "CSM-acl-outside
And LOTS of them. From a bunch of different IP addresses. I really can't pin down the problem. Anyone have any ideas?
This is an informative message indicative of access tries from the outside ip address.
It will be there though u havent enabled any log for the same.
Looks like replies from web requests where the stateful session has timed out, so the outside access list drops it.
Did you do anything immediately prior to these messages?
If you issued a 'clear xlate' just before it would have the same effect.
Cisco TAC says it is this:
Just thought I'd let you know. Thanks.
I had the same problem.
This is happening because the outgoing connection to some webservers are being closing by the client.
After that, when some packets that was traveling before the outside webserver received the tcp-reset arrives at pix, pix logs error 106023.
The TAC link previouly posted is exacly what is happening. I just post this comment to better understand when it happens.
I'm with a TAC case related to the same problem, and I hope cisco reconsider this BUG to version 7.x versions too, and soon, fix it.
I am receiving the 106023 msgs on a PIX525 7.0.4 box.
Are there any resolutions or work arounds to stop this behavior.
I am having the same symptoms here; however, I think in my case it is related to Websense web filtering...
I am using Websense in standalone mode, so the client actually sends the request directly to the web server, and Websense only interfers when a rule is met (sends a reset to the web server).
I would guess that on your pix you have an acl for CSM-acl-outside. The Pix is doing it's job blocking un wanted traffic. I will take a random guess that your using a CSM module of some sort..? is the above ACL on interface thats www facing ?