topic This may help in trying to in Network Security

Deny TCP (no connection) RST ACK

aelsbernd — Tue, 12 Mar 2019 06:36:58 GMT

ASA 5520

Logs are flooded with multiple Deny TCP entries on interface inside. From internal user IPs to unknown outside public IPs:

Deny TCP (no connection) from 172.26.x.x/63422 to 216.58.216.98/443 flags RST ACK on interface inside

Deny TCP (no connection) from 172.26.x.x/62898 to 104.16.27.235/80 flags RST ACK on interface inside

Deny TCP (no connection) from 172.26.x.x/62315 to 208.111.168.7/80 flags RST ACK on interface inside

Looking to see if these are normal or something to look into? Let me know if there's anything else I can post

Hi,I think these are not

Vibhor Amrodia — Thu, 17 Sep 2015 16:49:46 GMT

Hi,

I think these are not normal if they are showing up in large volume.

The logs says that the TCP packet was dropped with the (RST ACK) flag.

Now , the thing is we have to find out why the RST are coming in for these internal Hosts.

It can be different reasons for that(Asymmetric routing , External proxy etc) so you would have to check the captures for the complete stream thru the ASA device and see what you are able to see for the connection.

Thanks and Regards,

Vibhor Amrodia

This may help in trying to

fsebera — Thu, 17 Sep 2015 16:54:35 GMT

This may help in trying to figure out why these are being denied

216.58.216.98 is Google

104.16.27.235 is Cloud Flare Net

208.111.168.7 is Limelight Networks

HTH

Frank