PIX: Cannot log on via Telent and continous log via Console

[tomlloyd2007]

All of a sudden I cannot log onto my PIX firewall (515e 6.3). I just get a password prompt and when I type it in it is rejected 3 times before the connection is lost. I am the only person who has access to the firewall so the password has not changed. I then connected a console cable to the firewall and recieved a continuous logging output (extract below)

fi106023: Deny tcp src inside:128.10.10.253/23089 dst outside:128.10.1.2/9100 by access-group "aclin"
106023: Deny tcp src inside:10.1.1.102/3813 dst outside:192.43.244.18/37 by access-group "aclin"
305012: Teardown dynamic TCP translation from inside:10.1.10.192/3513 to outside
:62.173.114.42/1044 duration 0:16:55
106023: Deny tcp src inside:10.1.1.102/3813 dst outside:192.43.244.18/37 by access-group "aclin"
106023: Deny tcp src inside:128.10.10.253/23090 dst outside:128.10.1.25/9100 by access-group "aclin"
106023: Deny tcp src inside:10.1.1.67/3288 dst outside:192.43.244.18/37 by access-group "aclin"

This ouput was scolling very quickly across the screen and I was unable to type in any commands. Any pointers would be greatly appreciated.
Thanks
Tom

 

[lyndonl]

its hard to say whats causing your telnet access to stop

and i might be shooting in the dark here but there is a lot of connections trying to leave your firewall on port 9100 ( usually used for Printers or printer management like the HP Jet Direct boxes) and port 37 (the time protocol or NTP)

firstly is that normal and should the IP's that are being blocked by doing this?

the firewall might be seriosly overloaded for some reason and not able to contact the tacacs+ box before it times out or something its hard to tell without more info

 

[tomlloyd2007]

lyndonl thanks for your quick response. there are few IP adresses that need to be blocked which I know about. Some are trying to get out on port 37 to a NTP server and another one is trying to print on port 9100. This is normal activity that needs cleaning up but I do not think i srelated to the problem.

It just seems that when I connect the console cable to the firewall I immediatley get this logging output. I dont have to enter a username or password. It is almost like it is using up all the resources on the PIX.

You said you needed more information. What would that be?

Thanks

 

[lyndonl]

well to see if the FW is being abused memory and cpu wise
I would suggest doing a show mem usage and show cpu usage from the enable prompt

do you run a syslog server for your firewall?

 

[lyndonl]

P.S.
you might want to disable console logging while you troubleshoot. or at least to see the cpu and mem stats

in conf t
no logging console

 

[tomlloyd2007]

I cant type any commands in because I cant log on via telnet (the password is not acccepted) and in console mode I get the logging scrolling accross the screen.

I do have a syslog server and the output on the syslog server is the same that I get at the console.

Thanks

 

[lyndonl]

you should still be able to type even though you cant see what you are actually doing.

from console:
en
yourpassword
conf t
no logging console {then enter}

you should be able to pop that in a text file and just copy and paste

the pix buffer should handle that fine once you have done that the pix should no longer scroll info on the screen

 

[tomlloyd2007]

I cannot enter any text onto the screen. The logging is moving too fast. I have done a capture of the text and nothing is entered. The firewall in working as expected apart from this. Is there a way to pause the logging to allow commands to be entered.

Thanks

 

[Supergrrover]

This will require down time - Unplug the interfaces to stop the syslog messages on the screen. You should now have control back so you can enter commands. One you have done that do as lyndonl posted.

If this doesn't work, use the password recovery feature here to regain control

http://www.cisco.com/warp/public/110/34.shtml

Brent
Systems Engineer / Consultant
CCNP, CCSP