https://community.cisco.com/t5/network-security/asa5505-blocking-return-traffic/m-p/2296637#M343554 <P>Our network has slowed to a crawl and upon investigation it looks as if the ASA5505 is blocking returning traffic. The syslog is full of these from legitimate sites:</P><P></P><P>2013-08-30 16:58:01 local4.critical 192.168.1.254&nbsp; Aug 30 2013 16:53:38: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/46099 flags PSH ACK&nbsp; on interface outside\n</P><P>2013-08-30 16:58:03 local4.critical 192.168.1.254&nbsp; Aug 30 2013 16:53:40: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/31820 flags ACK&nbsp; on interface outside\n</P><P>I'm not really sure where to go next so any help would be appreciated.</P><P>2013-08-30 16:58:01 local4.critical 192.168.1.254&nbsp; Aug 30 2013 16:53:38: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/46099 flags PSH ACK&nbsp; on interface outside\n</P><P>2013-08-30 16:58:03 local4.critical 192.168.1.254&nbsp; Aug 30 2013 16:53:40: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/31820 flags ACK&nbsp; on interface outside\n</P><P></P><P>We are also using Websense. I have a 'filter except' exception for the above examples (207.131.246.15) for both http and https. I have also reduced MTU to 1472 on the outside just to test. I also upgraded from 256 to 512 memory thinking maybe it was being stressed.</P><P></P><P>It seems to work for a while and then out of nowhere shuts everyone down from wherever they are browsing and then about 20 seconds to a minute later it starts up again.</P><P></P><P>I'm not really sure where to go next.</P><P></P><P>I have attached (what I hope is) a scrubbed config.</P><P></P><P>Thank you.</P> Tue, 12 Mar 2019 02:33:39 GMT drice11089 2019-03-12T02:33:39Z https://community.cisco.com/t5/network-security/asa5505-blocking-return-traffic/m-p/2296637#M343554 <P>Our network has slowed to a crawl and upon investigation it looks as if the ASA5505 is blocking returning traffic. The syslog is full of these from legitimate sites:</P><P></P><P>2013-08-30 16:58:01 local4.critical 192.168.1.254&nbsp; Aug 30 2013 16:53:38: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/46099 flags PSH ACK&nbsp; on interface outside\n</P><P>2013-08-30 16:58:03 local4.critical 192.168.1.254&nbsp; Aug 30 2013 16:53:40: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/31820 flags ACK&nbsp; on interface outside\n</P><P>I'm not really sure where to go next so any help would be appreciated.</P><P>2013-08-30 16:58:01 local4.critical 192.168.1.254&nbsp; Aug 30 2013 16:53:38: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/46099 flags PSH ACK&nbsp; on interface outside\n</P><P>2013-08-30 16:58:03 local4.critical 192.168.1.254&nbsp; Aug 30 2013 16:53:40: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/31820 flags ACK&nbsp; on interface outside\n</P><P></P><P>We are also using Websense. I have a 'filter except' exception for the above examples (207.131.246.15) for both http and https. I have also reduced MTU to 1472 on the outside just to test. I also upgraded from 256 to 512 memory thinking maybe it was being stressed.</P><P></P><P>It seems to work for a while and then out of nowhere shuts everyone down from wherever they are browsing and then about 20 seconds to a minute later it starts up again.</P><P></P><P>I'm not really sure where to go next.</P><P></P><P>I have attached (what I hope is) a scrubbed config.</P><P></P><P>Thank you.</P> Tue, 12 Mar 2019 02:33:39 GMT https://community.cisco.com/t5/network-security/asa5505-blocking-return-traffic/m-p/2296637#M343554 drice11089 2019-03-12T02:33:39Z https://community.cisco.com/t5/network-security/asa5505-blocking-return-traffic/m-p/2296638#M343557 <HTML><HEAD></HEAD><BODY><P>Are there all sites affected or only the one mentioned? </P><P>Do you have 2 uplinks and running into&nbsp; asymmetric routing error?</P><P></P><P><A _jive_internal="true" href="https://community.cisco.com/docs/DOC-14491">https://supportforums.cisco.com/docs/DOC-14491</A></P><P></P><P></P><P></P><P></P><P>Michael <BR /> <BR />Please rate all helpful posts</P></BODY></HTML> Fri, 06 Sep 2013 13:11:05 GMT https://community.cisco.com/t5/network-security/asa5505-blocking-return-traffic/m-p/2296638#M343557 Michael Muenz 2013-09-06T13:11:05Z https://community.cisco.com/t5/network-security/asa5505-blocking-return-traffic/m-p/2296639#M343558 <HTML><HEAD></HEAD><BODY><P> I looked for asymmetric routing. We have one other router attached to the internet but that just does VPN to a datacenter and has a specific route set up on the gateway for it. Nothing else should be getting to it other than the single IP address routed to it.</P><P></P><P>It seems to be affecting any ip address that needs a persistant connection. As an example I had to download Chrome to a PC this morning and it kept losing connection about 50% through the download. So from my experiments what I can tell is that it makes the first connection no problem, but quickly dies after that and a new connection has to be made. Also when this happens the IP address being accessed shows up in the "SYN Attack" list in ADSM. I have attached an image of the issue. The number one item on the list is a website we use all day long.</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/1/0/5/154501-asdm.jpg" class="jive-image" /></P></BODY></HTML> Fri, 06 Sep 2013 15:09:56 GMT https://community.cisco.com/t5/network-security/asa5505-blocking-return-traffic/m-p/2296639#M343558 drice11089 2013-09-06T15:09:56Z