1. Home
  2. Cisco Systems
  3. log messages about icmp denied

log messages about icmp denied

In a 3725 running IOS 12.4(5a) we have an access list on the internet interface that passes some icmp types and blocks the remainder with log. Sometimes we see a number of events in the log like this:

Jun 12 19:47:26 hk 102292: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (44/216), 1 packet Jun 12 19:47:29 hk 102293: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (60/224), 1 packet Jun 12 19:47:34 hk 102294: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (48/20), 1 packet Jun 12 19:47:55 hk 102295: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (42/80), 1 packet Jun 12 19:47:59 hk 102296: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (62/108), 1 packet Jun 12 19:48:04 hk 102297: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (55/136), 1 packet Jun 12 19:48:16 hk 102298: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (51/8), 1 packet Jun 12 19:51:51 hk 102299: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (52/220), 1 packet Jun 12 19:51:53 hk 102300: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (45/176), 1 packet Jun 12 19:52:00 hk 102301: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (63/104), 1 packet

Is it certain that the system at a.b.c.d is really sending those weird icmp messages to us (e.f.g.h), or could there be an issue in the logging code that makes it log this trash?

At first I believed this was an attack, but now I see such an event where the source is the home PC of one of our employees. Could it be that it is infected with some malware, or is he just sending some icmp we did not expect and is the logging broken?

I also see logs with an expected code, like this:

Jun 3 08:50:18 hk 99909: 8w4d: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp

61.219.64.4 -> e.f.g.h (5/1), 1 packet Jun 3 08:55:58 hk 99910: 8w4d: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp 61.219.64.4 -> e.f.g.h (5/1), 1 packet

Here, someone is trying to send us a REDIRECT, something we have blocked on purpose. So it at least works part of the time.

Reply to
Rob
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.