106023: Deny tcp src outside from WWW Servers

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Dear all, we have a Cisco PIX 525, SW Release 6.3.4.

We have an ISA Proxy Server in our DMZ, the WWW Clients connect to this
ISA Proxy Server. This goes directly to the Internet.

There are many many entries like this in the Firewall log. Everything
works fine, but what about the warnings?

%PIX-4-106023: Deny tcp src outside:ISAPROXY/8080 dst
inside:172.25.111.158/2377 by access-group "dmz_to_intranet"

I guess the warnings are because there are answers from WWW Servers,
and no client waiting for them. Any Ideas?

Thanks, René

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Just found something in debug mode, this entry is when i click "abort"
or "reload" in my browser (TCP Reset-I). So everything is fine or can
this error message be "hidden", because with 500 WWW Users we got a lot
of them in the logfile.

%PIX-6-302014: Teardown TCP connection 35416669 for
outside:ISAPROXY/8080 to inside:172.22.113.5/2027 duration 0:00:01
bytes 10898 TCP Reset-I

%PIX-4-106023: Deny tcp src outside:ISAPROXY/8080 dst
inside:172.22.113.5/2027 by access-group "dmz_to_intranet"

Thanks

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <1126096187.425251.140780@g44g2000cwa.googlegroups.com>,
Rene Obrecht <groups@no-woman-no-cry.ch> wrote:
:Just found something in debug mode, this entry is when i click "abort"
r "reload" in my browser (TCP Reset-I). So everything is fine or can
:this error message be "hidden", because with 500 WWW Users we got a lot
f them in the logfile.

:%PIX-6-302014: Teardown TCP connection 35416669 for
utside:ISAPROXY/8080 to inside:172.22.113.5/2027 duration 0:00:01
:bytes 10898 TCP Reset-I

:%PIX-4-106023: Deny tcp src outside:ISAPROXY/8080 dst
:inside:172.22.113.5/2027 by access-group "dmz_to_intranet"


Yes, you found an important clue to the behaviour, one that a lot of
people never notice.

What is happening is that the PIX is cleaning up the connection
information while there are still packets returning from the remote
end. The PIX is not noticing that they belonged to the previous
connection and so is not quietly dropping them. I have not, though,
seen any good hypotheses advanced as to why the Deny message does not
include the "flags SYN" message that would normally appear in such
a case.

This behaviour started appearing in PIX 6.3(1), if I recall correctly.
In PIX 6.2, the cleanup routine waited longer.
--
I was very young in those days, but I was also rather dim.
-- Christopher Priest

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Okay, how about Version 7.0?

To "eliminate" those messages, I will create a rule that drops all
traffic from "outside:ISAPROXY Port 8080" to the inside interface with
NO LOGGING. Any other ways to eliminate them?

Thanks