Managing Deny Flows - Cisco 7604 Configuration Manual

Chapter 13 Identifying Traffic with Access Lists
If you also enable a time range for the ACE, use the log keyword before the time-range keyword. If you
Note
disable the ACE using the inactive keyword, use the inactive keyword as the last keyword.
If you enter the log option without any arguments, you enable system log message 106100 at the default
level (6) and for the default interval (300 seconds). See the following options:
•
•
•
•
For example, you configure the following access list:
hostname(config)# access-list outside-acl permit ip host 1.1.1.1 any log 7 interval 600
hostname(config)# access-list outside-acl permit ip host 2.2.2.2 any
hostname(config)# access-list outside-acl deny ip any any log 2
hostname(config)# access-group outside-acl in interface outside
When a packet is permitted by the first ACE of outside-acl, the FWSM generates the following system
log message:
%PIX-7-106100: access-list outside-acl permitted tcp outside/1.1.1.1(12345) ->
inside/192.168.1.1(1357) hit-cnt 1 (first hit)
Although 20 additional packets for this connection arrive on the outside interface, the traffic does not
have to be checked against the access list, and the hit count does not increase.
If one more connection by the same host is initiated within the specified 10 minute interval (and the
source and destination ports remain the same), then the hit count is incremented by 1 and the following
message is displayed at the end of the 10 minute interval:
%PIX-7-106100: access-list outside-acl permitted tcp outside/1.1.1.1(12345)->
inside/192.168.1.1(1357) hit-cnt 2 (600-second interval)
When a packet is denied by the third ACE, then the FWSM generates the following system log message:
%PIX-2-106100: access-list outside-acl denied ip outside/3.3.3.3(12345) ->
inside/192.168.1.1(1357) hit-cnt 1 (first hit)
20 additional attempts within a 5 minute interval (the default) result in the following message at the end
of 5 minutes:
%PIX-2-106100: access-list outside-acl denied ip outside/3.3.3.3(12345) ->
inside/192.168.1.1(1357) hit-cnt 21 (300-second interval)

Managing Deny Flows

When you enable logging for message 106100, if a packet matches an ACE, the FWSM creates a
flow entry to track the number of packets received within a specific interval. The FWSM has a maximum
of 64 K logging flows for ACEs. A large number of flows can exist concurrently at any point of time. To
prevent unlimited consumption of memory and CPU resources, the FWSM places a limit on the number
of concurrent deny flows; the limit is placed only on deny flows (and not permit flows) because they can
indicate an attack. When the limit is reached, the FWSM does not create a new deny flow for logging
until the existing flows expire.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
level—A severity level between 0 and 7. The default is 6.
interval secs—The time interval in seconds between system log messages, from 1 to 600. The
default is 300. This value is also used as the timeout value for deleting an inactive flow.
disable—Disables all access list logging.
default—Enables logging to message 106023. This setting is the same as having no log option.
Logging Access List Activity
13-27