topic Re: Odd looking %ASA-6-106015: Deny TCP (no connection) in Network Security

Odd looking %ASA-6-106015: Deny TCP (no connection)

Cheerio — Fri, 21 Feb 2020 14:21:32 GMT

Hello,

Hoping someone can explain what's happening here.

Here's what I see in the 3 events below.

1. Connection is built between src:10.102.0.40/52845 and dest:10.102.89.80/8089.

2. Firewall immediately denies the connection because there is no existing connection between src:10.102.89.80/8089 and dest:10.102.0.40:52845.

3. Connection between src:10.102.89.80/8089 and dest:10.102.0.40:52845 is torn down.

What's puzzling to me is why are the source and dest IP's swapped in the built and teardown events? Could this have anything to do with why the connection is immediately torn down?

Re: Odd looking %ASA-6-106015: Deny TCP (no connection)

Flavio Miranda — Tue, 26 Sep 2017 02:27:06 GMT

Hi,

The information provided is a bit vague, but, this is for sure some security mechanism being handled by Firewall.

Let´s see one possibility here:

302304

Error Message %ASA-6-302304: Teardown TCP state-bypass connection conn_id frominitiator_interface :ip/port to responder_interface :ip/port duration , bytes , teardown reason .

Explanation A new TCP connection has been torn down, and this connection is a TCP-state-bypass connection. This type of connection bypasses all the TCP state checks and additional security checks and inspections.

duration —The duration of the TCP connection

bytes —The total number of bytes transmitted over the TCP connection
teardown reason —The reason for the teardown of the TCP connection

Recommended Action If you need to secure TCP traffic with all the normal TCP state checks as well as all other security checks and inspections, you can use the no set connection advanced-options tcp-state-bypass command to disable this feature for TCP traffic.

If you provide in more detail where this torn down comes from, we may find the preciselly reason.

Re: Odd looking %ASA-6-106015: Deny TCP (no connection)

Cheerio — Tue, 26 Sep 2017 22:08:22 GMT

Hello and thanks for responding.

There is no 302304 in my events. Did you mean to lookup 302014?

As far as the teardown, I assume it's due to the 106015.