Flooded with 106006

deanwebb · January 27, 2015, 04:26:38 PM

ASA 5585, 9.1(3)
Log is flooded with Critical 106006, source IP is one of the IPs of the inside interface of the perimeter firewall, the destination IP is the Tufin monitoring box. Traffic that the ASA is throwing a fit over is UDP 514, syslog traffic. The perimeter firewall is in an active/passive HA cluster, and it's the passive member that's throwing all the poo at the ASA, which manages the connection from the perimeter firewall to the rest of the network.

I see some stuff online about getting flooded with 106006 messages, but nothing really concrete for a resolution... might bounce the secondary, but, well... I dunno?

Thoughts?

deanwebb · January 27, 2015, 04:44:41 PM

Stopping/starting syslog output reduced the flood, but I'm still seeing those criticals, now I see them for other UDP traffic that crosses the firewall, as well. There is a rule to permit that traffic, by the way, and it has flowed normally in the past.

killabee · January 27, 2015, 08:07:49 PM

Is there a permit flow connection limit you're hitting, causing subsequent permits to be denied?

Is the standby perimeter firewall having issues, and that why it's generating that much traffic, or is the amount of syslog traffic it's generating normal?

deanwebb · January 27, 2015, 08:51:32 PM

It definitely was partly a firewall issue, since the switching off/on business took the number of alerts down from AVALAAAAANCHE!!! to a pair every few seconds. But I still see them and the firewall that used to be able to send syslogs to the Tufin box no longer does that. Tufin still gets its updates via SSH, but I am not seeing UDP go across that intermediary firewall.

Flooded with 106006

deanwebb

deanwebb

killabee

deanwebb