%PIX-4-106023 messages in log

Hi,

We are getting quite a few of these messages in our log files that have a destination of the outside interface of the Pix. Is this something to be concerned about ?

%PIX-4-106023: Deny udp src outside:167.142.225.5/53 dst inside:xx.xx.xxx.xx/39471 by access-group "101"

Thanks

Reply to
Ray
Loading thread data ...

I would suspect that you are nating to the outside interface IP, and that these are late replies to internal dns queries. 167.142.225.5 is a valid dns server (ns1.netins.net) so this is unlikely to be an attack.

Did you happen to set your udp timeout to be lower than normal? Are you on a particularily slow or congested line?

DNS queries usually time out in 60 seconds, so there isn't -usually- any problem getting the answer back within the 2 minute default udp timeout setting.

Does 167.142.225.5 happen to be your regular DNS server? Or are hosts inside your system explicitly asking for DNS resolution from 167.142.225.5 (as opposed to them asking your internal DNS server for resolution and that internal DNS server then asks 167.142.225.5 for resolution)? If you have an internal DNS server, is

167.142.225.5 set as a host your internal DNS server forwards queries to? If your hosts are regularily presenting DNS queries to 167.142.225.5 and your hosts are setting the "want recursion" flag, and 167.142.225.5 is willing to do recursion for you, then it can end up taking more than 2 minutes to get a reply back and you might have to increase your udp timeout.

The "want recusion" flag is usually set for direct DNS queries, host to some server that is configured as its DNS server; it is also often set by internal DNS servers in making queries to a system the internal server has been configured to "forward" queries to. It is, though, if I recall correctly, usually not set by a DNS server in making queries to a random DNS server on the net as it goes through the standard name resolution process.

Reply to
Walter Roberson

Walter, et al,

I've seen similar behavior after upgrading to our latest version of 6.x. I've been noodling around for an answer, but the closest thing I've seen a reference to is that this is somewhat of a "bug". I see these entries, though, for port 80 (HTTP traffic). We do run Websense, so I don't know if this is some sort of TCP connection timeout issue, something with Websense, etc. It is a pain because it really fills up the logs with a bunch of noise. I've tried tuning the log message types and priorities, but that hasn't helped too much.

I'd appreciate your thoughts as it would be nice to not have to filter through multiple gigabyte log files of junk to find items of concern. Thanks!

Reply to
slim

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.