Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX Syslog Messages

Status
Not open for further replies.
shakamon

shakamon

MIS
Feb 4, 2002
103
US
I have found the following going absolutely nuts in my PIX syslogs. I am seeing approx 70 teardown per second. Can someone tell me what is happening. Am I hosing my dns provider? Here is the connection being built.

Feb 25 15:40:52 172.16.1.1 Feb 25 2006 15:40:48: %PIX-6-302015: Built outbound UDP connection 275643 for outside:x.x.x.x/53 (x.x.x.x/53) to DMZ1:172.16.1.10/33522 (x.x.x.x/3896)

Then i get a steady stream of these. Is something broken on this particular box? It is a Linux box, of which I am a novice at...

Feb 25 15:40:52 172.16.1.1 Feb 25 2006 15:40:48: %PIX-6-302016: Teardown UDP connection 275644 for outside:x.x.x.x/53 to DMZ1:172.16.1.10/33522 duration 0:00:01 bytes 164
Feb 25 15:40:52 172.16.1.1 Feb 25 2006 15:40:48: %PIX-6-302016: Teardown UDP connection 275645 for outside:x.x.x.x/53 to DMZ1:172.16.1.10/33522 duration 0:00:01 bytes 164
Feb 25 15:40:52 172.16.1.1 Feb 25 2006 15:40:48: %PIX-6-302016: Teardown UDP connection 275646 for outside:x.x.x.x/53 to DMZ1:172.16.1.10/33522 duration 0:00:01 bytes 164
Feb 25 15:40:52 172.16.1.1 Feb 25 2006 15:40:48: %PIX-6-302016: Teardown UDP connection 275647 for outside:x.x.x.x/53 to DMZ1:172.16.1.10/33522 duration 0:00:01 bytes 164
Feb 25 15:40:52 172.16.1.1 Feb 25 2006 15:40:48: %PIX-6-302016: Teardown UDP connection 275648 for outside:x.x.x.x/53 to DMZ1:172.16.1.10/33522 duration 0:00:01 bytes 164


"Only the dead fish follow the stream"
 
Sort by date Sort by votes
These are standard messages related to UDP sessions being terminated following a (presumably) successful DNS query. It looks as if the device at 172.16.1.10 is the one requesting the queries from whatever the DNS server x.x.x.x is on the outside.

These are not errors. They are normal traffic streams. If you no longer wish to see them, you need to change your severity logging level. You have set at least severity level 6 which means you're going to see pretty much everything the PIX will generated in its normal day to day activities.

To change the syslog level and get rid of these repetitve messages, you can do this by changing the 'logging trap' and 'logging facility' settings to something less than 6.
 
Upvote 0 Downvote
That makes sense and I did that with the logging. However, I am seeing this 172.16.1.10 system tearing down approximately 70 udp connections per second, is not that a bit much? I do a netstat -an on the box, its linux flavored, and it is showing it as an established connection. I am having a difficult time nailing down what program\app on the server that is making that query. Any ideas???

"Only the dead fish follow the stream"
 
Upvote 0 Downvote
Perhaps if you run something like a netstat -an, you might find what app is running on UDP 33522?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
202
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
258
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
410
quazimotto
quazimotto
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
192
quazimotto
quazimotto
hall5942
  • Locked
  • Question
Site to Site VPN with Cisco 881 and PIX
Replies
0
Views
171
hall5942
hall5942

Part and Inventory Search

Sponsor

Back
Top