|
Question : Lots of syslog entries %PIX-4-106023 since PIX upgrade to 6.3(3)
|
|
Since I have upgraded our PIX to IOS 6.3(3) the log file is full of entries :
PIX-4-106023: Deny tcp src outside:"Can be any host"/80 dst inside:"proxies PAT address"/34715 by access-group "outside-in"
This was not the case before the upgrade running 6.2(2).
It tells me that traffic is blocked coming from a host port 80 to our proxy server any port > 1024. This must be traffic related to a connection originaly setup by the proxy. When I look at the translation table I can still see a translation for that specific port and the proxy and the Global address. When I look at the connections I can't see a connection for host/80 <==> proxy/ >1024.(BTW - This is the most likely reason for the entrie in the log)
It looks like the proxy server closed the connection and the pix deleted the entry from the table but the server at the other end still thinks that there is a connection and tries to send traffic back .
Everything works fine as far as the proxy concerns !
Nothing is changed in the config since the upgrade.
The config is pretty basic, simple nat / pat
global (outside) 100 ProxiesPATaddr netmask 255.255.255.240
nat (inside) 100 proxy 255.255.255.255
What's different between 6.2 and 6.3 ?
Richard
|
Answer : Lots of syslog entries %PIX-4-106023 since PIX upgrade to 6.3(3)
|
|
PAQed with points refunded (250)
modulo
Community Support Moderator
|
|
|
|
