PIX 515E Crashing Same Time Each Day

Hi All,

I have a PIX 515E running 6.3(5)

For the last few days at approx 9:30 each morning we are unable to do all
outbound traffic except I am still able to VPN into the network.  I am also
unable to SSH directly into the PIX from the outside.

The last syslog entry each day is the same and it is:
11/3/2006 9:26 Local4.Error 192.168.10.33 Nov 03 2006 08:54:29:
%PIX-3-710003: TCP access denied by ACL from 204.74.68.16/33211 to
outside:xxx.xxx.xxx.xxx/ssh
11/3/2006 9:26 Local4.Warning 192.168.10.33 Nov 03 2006 08:54:29:
%PIX-4-402106: Rec'd packet not an IPSEC packet. (ip) dest_addr=
xxx.xxx.xxx.xxx, src_addr= 204.74.68.16, prot= tcp

All the "last" syslog entries are from the same source IP

Once the traffic stops we start getting the following log entries:
11/3/2006 9:44 Local4.Warning 10.180.250.254 Nov 03 2006 16:42:40:
%PIX-4-106023: Deny tcp src inside:192.168.4.25/1197 dst
outside:xxx.xxx.xxx.xxx21 by access-group "inside"

Not all attempts to access the Internet are logged.

Rebooting the firewalls does not fix the issue.

The Internet comes back in about 1 hour.

It looks like I am being attacked.  Is this a vulnerability is Cisco's SSH?
Will upgrading to 7.0 software fix the issue?

Should I worry about my internal network being compromised?

Thanks for any help you can offer.


--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.13.28/518 - Release Date: 11/4/2006
5:30 PM
 

Al,
What software license do you have installed(show activation-key, show
version)? The PIX will act funny like this if you are running a FailOver
only license on a stand alone PIX.  

If it is a bug, here are links to the 6.3(5) software release notes and
the Bug Scrub webpage, you may be able to find the bug in there.

HTH,
Dan

PIX 6.3(5) Release Notes:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_release_note0
9186a00804e6d6d.html

Bug Toolkit (Requires Cisco.com login):
http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl


-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Al Cooper
Sent: Monday, November 06, 2006 10:27 AM
To: firewalls@...
Subject: PIX 515E Crashing Same Time Each Day

Hi All,

I have a PIX 515E running 6.3(5)

For the last few days at approx 9:30 each morning we are unable to do
all
outbound traffic except I am still able to VPN into the network.  I am
also
unable to SSH directly into the PIX from the outside.

The last syslog entry each day is the same and it is:
11/3/2006 9:26 Local4.Error 192.168.10.33 Nov 03 2006 08:54:29:
%PIX-3-710003: TCP access denied by ACL from 204.74.68.16/33211 to
outside:xxx.xxx.xxx.xxx/ssh
11/3/2006 9:26 Local4.Warning 192.168.10.33 Nov 03 2006 08:54:29:
%PIX-4-402106: Rec'd packet not an IPSEC packet. (ip) dest_addr=
xxx.xxx.xxx.xxx, src_addr= 204.74.68.16, prot= tcp

All the "last" syslog entries are from the same source IP

Once the traffic stops we start getting the following log entries:
11/3/2006 9:44 Local4.Warning 10.180.250.254 Nov 03 2006 16:42:40:
%PIX-4-106023: Deny tcp src inside:192.168.4.25/1197 dst
outside:xxx.xxx.xxx.xxx21 by access-group "inside"

Not all attempts to access the Internet are logged.

Rebooting the firewalls does not fix the issue.

The Internet comes back in about 1 hour.

It looks like I am being attacked.  Is this a vulnerability is Cisco's
SSH?
Will upgrading to 7.0 software fix the issue?

Should I worry about my internal network being compromised?

Thanks for any help you can offer.


--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.13.28/518 - Release Date:
11/4/2006
5:30 PM