Event ID - ASA-6-106100

Message CodeASA-6-106100
SeverityInformation
Descriptionaccess-list acl_ID {permitted | denied | est-allowed} protocol interface_name/source_address(source_port) - interface_name/dest_address(dest_port) hit-cnt number ({first hit | number-second interval}) hash codes.
ExplanationThis message is generated any time that a packet is seen that does not match an existing connection on the adaptive security appliance.The message indicates either the initial occurrence or the total number of occurrences during an interval. This message provides more information than message 106023, which only logs denied packets, and does not include the hit count or a configurable level.When an access-list line has the log argument, it is expected that this syslog ID might be triggered because of a non-synchronized packet reaching the adaptive security appliance and being evaluated by the access-list. For example, if an ACK packet is received on the adaptive security appliance (for which no TCP connection exists in the connection table), the device might generate syslog 106100, indicating that the packet was permitted; however, the packet is later correctly dropped because of no matching connection.

The following list describes the message values:
permitted | denied | est-allowed—These values specify if the packet was permitted or denied by the ACL. If the value is est-allowed, the packet was denied by the ACL but was allowed for an already established session (for example, an internal user is allowed to accesss the Internet, and responding packets that would normally be denied by the ACL are accepted).
  • protocol—TCP, UDP, ICMP, or an IP protocol number
  • interface_name—The interface name for the source or destination of the logged flow. The VLAN interfaces are supported.
  • source_address—The source IP address of the logged flow.
  • dest_address—The destination IP address of the logged flow
  • source_port—The source port of the logged flow (TCP or UDP). For ICMP, this field is 0.
  • dest_port—The destination port of the logged flow (TCP or UDP). For ICMP, this field is src_addr.
  • hit-cnt number—The number of times this flow was permitted or denied by this ACL entry in the configured time interval. The value is 1 when the adaptive security appliance generates the first syslog message for this flow.
  • first hit—The first message generated for this flow
  • number-second interval—The interval in which the hit count is accumulated. Set this interval using the access-list command with the interval option.
  • hash codes—Two has codes are always printed for the object-group ACE and the constituent regular ACE. These hash codes are visible in the show access-list command output. The hash is calculated over the configured ACE-line and uniquely identifies the ACE that was hit.
User ActionNone required.
Reference Links

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.
 Refresh