Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1083
Views
0
Helpful
4
Replies

PIX-5-611103: User logged out: Uname: enable_1

dougz
Level 1
Level 1

‎11-17-2004 12:50 PM - edited ‎03-09-2019 09:29 AM

The following message appears quite a bit in my syslogs for my PIX. It seems benign. What is going on to trigger this message? I know that nobody is actually "logged on" to the PIX.

Error Message %PIX-5-611103: User logged out: Uname: username

Explanation The specified user logged out.

Recommended Action None required.

Thanks,

Doug.

Labels:
0 Helpful
4 Replies 4

scoclayton
Level 7
Level 7

‎11-17-2004 01:41 PM

It is actually a benign (and incorrectly worded) syslog message. I am guessing that you are running a pre 6.3(4) or 6.2(4) release of code. This syslog message is printed anytime someone tries to telnet to the PIX from an allowed source (specified via the telnet command on the PIX) and fails authentication or allows the prompt to time-out.

We have corrected this syslog message so that it doesn't appear as a security threat (that someone named enable_1 logged into and out of the PIX). The bug ID for this is CSCdy54228 - PIX syslog 611103 incorrectly logged when user never logged in.

As you can probably guess from earlier in this post, this is fixed in 6.2(4) and 6.3(4) of the PIX code.

Hope this helps.

Scott

0 Helpful

dougz
Level 1
Level 1
In response to scoclayton

‎11-18-2004 11:08 AM

From your description above, it seems like I am getting far more of these messages than what would be generated by telnet login/attack attempts.

I checked my telnet access statements and I am only allowing telnet access to inside/dmz traffic.

I am getting these messages at approx. 10/min. From your description and looking at my firewall configuration, there would have to be an inside user/machine conducting a random but sustained telnet intrusion attack on my firewall. We have a relatively small shop. (About 50 users.) It is possible, but I am confident that it is not likely.

Would the same type of message log if someone were trying to spoof an inside address from the Internet?

Thanks,

Doug.

0 Helpful

scoclayton
Level 7
Level 7
In response to dougz

‎11-18-2004 01:11 PM

Q. Would the same type of message log if someone were trying to spoof an inside address from the Internet?

A - Nope, as telnet packets to the outside interface on the PIX are dropped by default unless they came in via an IPSec tunnel.

One thought that might be responsible for this is a mis-configured management server of some sort that is trying to telnet to the PIX for legit reasons. Perhaps a trace on the inside or on the DMZ interface of the PIX will clue us in a little more. Sorry for not having more information.

Scott

0 Helpful

dougz
Level 1
Level 1
In response to scoclayton

‎11-19-2004 04:49 AM

Bingo! It's our What's Up! server monitoring the telnet availability for the PIX.

Thanks for the help.

Doug.

0 Helpful
Customers Also Viewed These Support Documents