11-17-2004 12:50 PM - edited 03-09-2019 09:29 AM
The following message appears quite a bit in my syslogs for my PIX. It seems benign. What is going on to trigger this message? I know that nobody is actually "logged on" to the PIX.
Error Message %PIX-5-611103: User logged out: Uname: username
Explanation The specified user logged out.
Recommended Action None required.
Thanks,
Doug.
11-17-2004 01:41 PM
It is actually a benign (and incorrectly worded) syslog message. I am guessing that you are running a pre 6.3(4) or 6.2(4) release of code. This syslog message is printed anytime someone tries to telnet to the PIX from an allowed source (specified via the telnet command on the PIX) and fails authentication or allows the prompt to time-out.
We have corrected this syslog message so that it doesn't appear as a security threat (that someone named enable_1 logged into and out of the PIX). The bug ID for this is CSCdy54228 - PIX syslog 611103 incorrectly logged when user never logged in.
As you can probably guess from earlier in this post, this is fixed in 6.2(4) and 6.3(4) of the PIX code.
Hope this helps.
Scott
11-18-2004 11:08 AM
From your description above, it seems like I am getting far more of these messages than what would be generated by telnet login/attack attempts.
I checked my telnet access statements and I am only allowing telnet access to inside/dmz traffic.
I am getting these messages at approx. 10/min. From your description and looking at my firewall configuration, there would have to be an inside user/machine conducting a random but sustained telnet intrusion attack on my firewall. We have a relatively small shop. (About 50 users.) It is possible, but I am confident that it is not likely.
Would the same type of message log if someone were trying to spoof an inside address from the Internet?
Thanks,
Doug.
11-18-2004 01:11 PM
Q. Would the same type of message log if someone were trying to spoof an inside address from the Internet?
A - Nope, as telnet packets to the outside interface on the PIX are dropped by default unless they came in via an IPSec tunnel.
One thought that might be responsible for this is a mis-configured management server of some sort that is trying to telnet to the PIX for legit reasons. Perhaps a trace on the inside or on the DMZ interface of the PIX will clue us in a little more. Sorry for not having more information.
Scott
11-19-2004 04:49 AM
Bingo! It's our What's Up! server monitoring the telnet availability for the PIX.
Thanks for the help.
Doug.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide