106023: Deny tcp src outside from WWW Servers

Just found something in debug mode, this entry is when i click "abort" or "reload" in my browser (TCP Reset-I). So everything is fine or can this error message be "hidden", because with 500 WWW Users we got a lot of them in the logfile.

%PIX-6-302014: Teardown TCP connection 35416669 for outside:ISAPROXY/8080 to inside:172.22.113.5/2027 duration 0:00:01 bytes 10898 TCP Reset-I

%PIX-4-106023: Deny tcp src outside:ISAPROXY/8080 dst inside:172.22.113.5/2027 by access-group "dmz_to_intranet"

Thanks

In article , Rene Obrecht wrote: :Just found something in debug mode, this entry is when i click "abort" :or "reload" in my browser (TCP Reset-I). So everything is fine or can :this error message be "hidden", because with 500 WWW Users we got a lot :of them in the logfile.

:%PIX-6-302014: Teardown TCP connection 35416669 for :outside:ISAPROXY/8080 to inside:172.22.113.5/2027 duration 0:00:01 :bytes 10898 TCP Reset-I

:%PIX-4-106023: Deny tcp src outside:ISAPROXY/8080 dst :inside:172.22.113.5/2027 by access-group "dmz_to_intranet"

Yes, you found an important clue to the behaviour, one that a lot of people never notice.

What is happening is that the PIX is cleaning up the connection information while there are still packets returning from the remote end. The PIX is not noticing that they belonged to the previous connection and so is not quietly dropping them. I have not, though, seen any good hypotheses advanced as to why the Deny message does not include the "flags SYN" message that would normally appear in such a case.

This behaviour started appearing in PIX 6.3(1), if I recall correctly. In PIX 6.2, the cleanup routine waited longer.

Okay, how about Version 7.0?

To "eliminate" those messages, I will create a rule that drops all traffic from "outside:ISAPROXY Port 8080" to the inside interface with NO LOGGING. Any other ways to eliminate them?

Thanks