cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
569
Views
0
Helpful
7
Replies

Major Syslog congestion on PIX Firewall

spfeffer
Level 1
Level 1

I keep getting syslog messages like this:

Dec 12 2005 11:18:22: %PIX-4-106023: Deny tcp src outside:70.245.59.93/80 dst inside:67.67.242.130/23443 by access-group "CSM-acl-outside

And LOTS of them. From a bunch of different IP addresses. I really can't pin down the problem. Anyone have any ideas?

Thanks.

Sonny

7 Replies 7

spremkumar
Level 9
Level 9

Hi

This is an informative message indicative of access tries from the outside ip address.

It will be there though u havent enabled any log for the same.

regds

garethhinton
Level 1
Level 1

Looks like replies from web requests where the stateful session has timed out, so the outside access list drops it.

Did you do anything immediately prior to these messages?

If you issued a 'clear xlate' just before it would have the same effect.

Cisco TAC says it is this:

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCee27834&Submit=Search

Just thought I'd let you know. Thanks.

Sonny

encarnacao
Level 1
Level 1

I had the same problem.

This is happening because the outgoing connection to some webservers are being closing by the client.

After that, when some packets that was traveling before the outside webserver received the tcp-reset arrives at pix, pix logs error 106023.

The TAC link previouly posted is exacly what is happening. I just post this comment to better understand when it happens.

I'm with a TAC case related to the same problem, and I hope cisco reconsider this BUG to version 7.x versions too, and soon, fix it.

I am receiving the 106023 msgs on a PIX525 7.0.4 box.

Are there any resolutions or work arounds to stop this behavior.

thanks, chuck

I am having the same symptoms here; however, I think in my case it is related to Websense web filtering...

I am using Websense in standalone mode, so the client actually sends the request directly to the web server, and Websense only interfers when a rule is met (sends a reset to the web server).

ju_mobile
Level 1
Level 1

I would guess that on your pix you have an acl for CSM-acl-outside. The Pix is doing it's job blocking un wanted traffic. I will take a random guess that your using a CSM module of some sort..? is the above ACL on interface thats www facing ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: