https://community.cisco.com/t5/network-security/return-traffic-being-blocked-in-ftd-firewall/m-p/5246400#M1118719 <P>Hi all,</P> <P>Is anyone here also experience this kind of issue on the FTD?&nbsp; we notice that some return traffic being blocked on the FTD.</P> <P>Thanks for the answer!! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 13 Jan 2025 13:06:33 GMT mjrosana02 2025-01-13T13:06:33Z https://community.cisco.com/t5/network-security/return-traffic-being-blocked-in-ftd-firewall/m-p/5246400#M1118719 <P>Hi all,</P> <P>Is anyone here also experience this kind of issue on the FTD?&nbsp; we notice that some return traffic being blocked on the FTD.</P> <P>Thanks for the answer!! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 13 Jan 2025 13:06:33 GMT https://community.cisco.com/t5/network-security/return-traffic-being-blocked-in-ftd-firewall/m-p/5246400#M1118719 mjrosana02 2025-01-13T13:06:33Z https://community.cisco.com/t5/network-security/return-traffic-being-blocked-in-ftd-firewall/m-p/5246402#M1118720 <P>Did you check ""show conn"" to see if there active conn in ftd for retrun traffic&nbsp;</P> <P>MHM</P> Mon, 13 Jan 2025 12:46:37 GMT https://community.cisco.com/t5/network-security/return-traffic-being-blocked-in-ftd-firewall/m-p/5246402#M1118720 MHM Cisco World 2025-01-13T12:46:37Z https://community.cisco.com/t5/network-security/return-traffic-being-blocked-in-ftd-firewall/m-p/5246462#M1118724 <P>What indicators are you seeing to lead to believe this is the case?</P> <P>Have you confirmed the routing is symmetric (return traffic coming via the same interface via which it leaves)?</P> Mon, 13 Jan 2025 13:51:01 GMT https://community.cisco.com/t5/network-security/return-traffic-being-blocked-in-ftd-firewall/m-p/5246462#M1118724 Marvin Rhoads 2025-01-13T13:51:01Z https://community.cisco.com/t5/network-security/return-traffic-being-blocked-in-ftd-firewall/m-p/5246702#M1118762 <P>Please provide logs and if possible packet captures showing this behavior.</P> Tue, 14 Jan 2025 00:53:30 GMT https://community.cisco.com/t5/network-security/return-traffic-being-blocked-in-ftd-firewall/m-p/5246702#M1118762 ccieexpert 2025-01-14T00:53:30Z https://community.cisco.com/t5/network-security/return-traffic-being-blocked-in-ftd-firewall/m-p/5246707#M1118763 <P>Hi Marvin,</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mjrosana02_0-1736818342693.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/237499i8FC58A9ACF495C0C/image-size/medium?v=v2&amp;px=400" role="button" title="mjrosana02_0-1736818342693.png" alt="mjrosana02_0-1736818342693.png" /></span></P><P>Here is the sample logs, From the existing rule the source is 172.16.x.x network and the destination is 192.168.24.40 on port 8443, there is no issue from this direction. But we are seeing these logs where 192.168.24.40 is communicating back to 172.16.x.x using port 8443 but the destination is the random ports.&nbsp;</P> Tue, 14 Jan 2025 01:38:24 GMT https://community.cisco.com/t5/network-security/return-traffic-being-blocked-in-ftd-firewall/m-p/5246707#M1118763 mjrosana02 2025-01-14T01:38:24Z https://community.cisco.com/t5/network-security/return-traffic-being-blocked-in-ftd-firewall/m-p/5246708#M1118764 <P>Hello <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1481123">@ccieexpert</a>&nbsp;,</P><P>Good day!<BR />Please refer to my comments above.</P><P>Thanks,</P> Tue, 14 Jan 2025 01:40:40 GMT https://community.cisco.com/t5/network-security/return-traffic-being-blocked-in-ftd-firewall/m-p/5246708#M1118764 mjrosana02 2025-01-14T01:40:40Z https://community.cisco.com/t5/network-security/return-traffic-being-blocked-in-ftd-firewall/m-p/5246749#M1118765 <P>that doesnt help as it only shows the reverse packets that are blocked..</P> <P>first question is there any issue ? or you are just checking why they are happening ?</P> <P>You should get a syslog of the entire flow from start to finish as shown in the below link.</P> <P>That will help to see when the CONN was built and when it was teardown.. It is possible that a conn was reset/torn down by the firewall,&nbsp; and then a return packet came after that in the reverse direction, thus my question is it affecting anything..</P> <P>Please get us the syslog/log for the sourde/destination flow, which allow us more insight.</P> <P>&nbsp;</P> <P><A href="https://www.lammle.com/post/cisco-firepower-ftd-syslog-messages-and-how-to-see-cisco-ftd-lina-events/" target="_blank">https://www.lammle.com/post/cisco-firepower-ftd-syslog-messages-and-how-to-see-cisco-ftd-lina-events/</A></P> Tue, 14 Jan 2025 03:57:39 GMT https://community.cisco.com/t5/network-security/return-traffic-being-blocked-in-ftd-firewall/m-p/5246749#M1118765 ccieexpert 2025-01-14T03:57:39Z https://community.cisco.com/t5/network-security/return-traffic-being-blocked-in-ftd-firewall/m-p/5246766#M1118766 <P>That's return traffic which hits the firewall after the session has already been closed, that is the firewall doesn't find a xlate for those sessions, I suppose this can happen for many reasons, duplicated packets, high latency, network issues, server issues etc..</P><P>Nothing to be worried about usually</P> Tue, 14 Jan 2025 05:08:01 GMT https://community.cisco.com/t5/network-security/return-traffic-being-blocked-in-ftd-firewall/m-p/5246766#M1118766 Massimo Baschieri 2025-01-14T05:08:01Z