Tear down TCP connection

John Eze — Tue, 12 Mar 2019 09:12:01 GMT

Hello Guy,

I recently set up a Cisco ASA 9.x for a finical institution in the New DC and because theis project still on the implementation phase i yet to implement any form restriction on the ASA.

I have no VPN,NAT connection on the ASA. i have allowed traffic between zones on the asa by permitting ip any any on my inside interface.

Since the project still in a migration phase asked we are passing traffic from the serverfarm on the inside zone (successfully migrated servers from the old DC to the New DC).

The Serverfarm is protected by a Palo Alot fw which also is also in a pass through mode so all out and inbound connection is allowed.

The migration plane is to have a connection on the ASA located on the new DC to the old network terminated on a 6509 (core of the old DC) of the finical institution.

The old network still holds the route to in-country branches and also Affiliates which are located to the outside the country through a VPN tunnel and also it’s the internet breakaway for the network.

I have established full connectivity between the New and old network and also to the Branches, Affiliates through the static Route on the ASA pointing to 6509 (core of the old DC) connection.

My challenge is when servers from the New DC try to establish TCP connections between host on the inside to the Old DC it build the connection then tear it dowm

So the ASA sends the SNY across but the ACK so it Tears down the connection

5# sh log | i 10.2.173.29

%ASA-6-302014: Teardown TCP connection 290051329 for Old-Net:10.2.173.29/3306 to inside:10.4.176.173/34610 duration 0:00:00 bytes 0 TCP Reset-O

%ASA-6-302014: Teardown TCP connection 290051332 for Old-Net:10.2.173.29/3306 to inside:10.4.176.173/34611 duration 0:00:00 bytes 0 TCP Reset-O

%ASA-6-302014: Teardown TCP connection 290051335 for Old-Net:10.2.173.29/3306 to inside:10.4.176.173/34612 duration 0:00:00 bytes 0 TCP Reset-O

%ASA-7-609002: Teardown local-host Ecobank:10.2.173.29 duration 0:00:00

Sh route 10.2.173.29

Routing entry for 10.2.0.0 255.255.0.0

Known via "static", distance 1, metric 0

Routing Descriptor Blocks:

* 10.3.201.134, via Old-Net

Route metric is 0, traffic share count is 1

sh asp drop

Frame drop:

Invalid TCP Length (invalid-tcp-hdr-length) 4

Invalid UDP Length (invalid-udp-length) 4

No valid adjacency (no-adjacency) 839971

No route to host (no-route) 13110842

Reverse-path verify failed (rpf-violated) 98

Flow is denied by configured rule (acl-drop) 609829

First TCP packet not SYN (tcp-not-syn) 2044354

Bad TCP flags (bad-tcp-flags) 1

TCP failed 3 way handshake (tcp-3whs-failed) 303376

TCP RST/FIN out of order (tcp-rstfin-ooo) 1331302

TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 60

TCP packet SEQ past window (tcp-seq-past-win) 1973

TCP invalid ACK (tcp-invalid-ack) 24

TCP Out-of-Order packet buffer full (tcp-buffer-full) 278

TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 59731

TCP RST/SYN in window (tcp-rst-syn-in-win) 452

TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 236

TCP packet failed PAWS test (tcp-paws-fail) 89

Connection limit reached (conn-limit) 3

Slowpath security checks failed (sp-security-failed) 15798

Expired flow (flow-expired) 3

ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 3

DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 2

DNS Inspect packet too long (inspect-dns-pak-too-long) 23

DNS Inspect id not matched (inspect-dns-id-not-matched) 2683

FP L2 rule drop (l2_acl) 785152

Unable to obtain connection lock (connection-lock) 1

Interface is down (interface-down) 991

Dropped pending packets in a closed socket (np-socket-closed) 8868

Last clearing: Never

Flow drop:

Inspection failure (inspect-fail) 18590

TCP Reset-O meaning means

ajay chauhan — Sun, 09 Apr 2017 15:01:29 GMT

TCP Reset-O meaning means that the firewall saw a RST packet come from the outside host. At this point the firewall will remove the connection from its connection table and no further packets will pass. This should be investigated on outside host.

topic Tear down TCP connection in Network Security

Tear down TCP connection

TCP Reset-O meaning means