We have a Cisco 2911 running the firewall feature set and NAT for several servers. The problem is that every so often, maybe twice a day or twice a week, we get reports that our webserver is down. We can still get to it internally (10.1.X.X), but not from outside the company. The other websites and exchange server are still reachable from outside. To resolve the problem we just reboot the Cisco 2911 router and it is functioning properly again. We still want to find out what the problem is. Can anyone be of help?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
NAT problem
- Thread starter irish21
- Start date
- Thread starter
- #3
The only kind of logging info that I get right now is:
%FW-3-SMTP_INVALID_COMMAND: Invalid SMTP command and
%FW-4-HOST_TCP_ALERT_ON: Max tcp half-open connections (50) exceeded for host.
I just turned on debugging for IP NAT DETAILED to see if I could get any further information.
What do you mean by recreating my access lists?
%FW-3-SMTP_INVALID_COMMAND: Invalid SMTP command and
%FW-4-HOST_TCP_ALERT_ON: Max tcp half-open connections (50) exceeded for host.
I just turned on debugging for IP NAT DETAILED to see if I could get any further information.
What do you mean by recreating my access lists?
You router may be object of an attack. See the "Error Message Decoder" from Cisco:
1. %FW-4-HOST_TCP_ALERT_ON: Max tcp half-open connections ([dec]) exceeded for host [IP_address].
The max-incomplete host limit of half-open TCP connections has been exceeded. This message indicates that a high number of half-open connections is coming to the protected server, and it may indicate that a SYN flood atta ck is in progress and is targeted to the specified server host.
Recommended Action: This message is for informational purposes only, but it may indicate that a SYN flood attack was attempted. If this alert is issued frequently and identified to be mostly false alarms, then the max-incomplete host threshold va lue is probably set too low, and there is a significant amount of legitimate traffic coming into that server. In this case, the max-incomplete host parameter should be set to a higher number to avoid false alarms.
1. %FW-3-SMTP_INVALID_COMMAND: Invalid SMTP command ([chars])(total [dec] chars) from initiator ([IP_address]:[dec])
The CBAC code detected an invalid SMTP command in the inspected SMTP connection. This message indicates that a suspicious violation was detected that may be an attack on the mail server system. The command is rejected, and the c onnection is immediately reset by the firewall.
Recommended Action: This message is for informational purposes only, but it may indicate a security problem.
1. %FW-4-HOST_TCP_ALERT_ON: Max tcp half-open connections ([dec]) exceeded for host [IP_address].
The max-incomplete host limit of half-open TCP connections has been exceeded. This message indicates that a high number of half-open connections is coming to the protected server, and it may indicate that a SYN flood atta ck is in progress and is targeted to the specified server host.
Recommended Action: This message is for informational purposes only, but it may indicate that a SYN flood attack was attempted. If this alert is issued frequently and identified to be mostly false alarms, then the max-incomplete host threshold va lue is probably set too low, and there is a significant amount of legitimate traffic coming into that server. In this case, the max-incomplete host parameter should be set to a higher number to avoid false alarms.
1. %FW-3-SMTP_INVALID_COMMAND: Invalid SMTP command ([chars])(total [dec] chars) from initiator ([IP_address]:[dec])
The CBAC code detected an invalid SMTP command in the inspected SMTP connection. This message indicates that a suspicious violation was detected that may be an attack on the mail server system. The command is rejected, and the c onnection is immediately reset by the firewall.
Recommended Action: This message is for informational purposes only, but it may indicate a security problem.
- Thread starter
- #6
I agree with fmonteiro as well, but it doesn't seem like either of these messages are related to why the NAT for the other website stops responding. These messages are related to CBAC and our mail server. Also, these messages have not appeared when people outside complain about the webserver not responding. I am not saying that it is a NAT problem, but it seems to me that it could be. It only occurs on this particular translation, all of the other servers are still accessible by the outside world when this one is not and we can still access this one inside. It comes back up with a reboot, which indicates it is something in the router. I am just a begginner with routers, so like I said it is only a guess when I say it is a NAT problem.
- Status
