topic ASA dropping legitimate returning Internet traffic in Network Security https://community.cisco.com/t5/network-security/asa-dropping-legitimate-returning-internet-traffic/m-p/2295336#M345194 <P>Hi all,</P><P></P><P>I recently turned on on the 'stateful' feature on our Internet ASA's. It was once disabled completely due to an Asymmetric routing issue that existed within our network. I have managed to turn this back on for all but the subnets that require an Asymmetric routing path.</P><P></P><P>Now it seems that the ASA's are dropping a significant amount of packets on the OUTSIDE interface for legitimate returning TCP traffiic. At first glance I thought we were under some sort of attack; where the attacker was reversing the source and destination ports; but the source IP addresses are all legitimate well known websites. There does seem to be a ever so slight performance decrease when surfing the web.</P><P></P><P><SPAN style="font-size: 10pt;">I suspect this has something to do with TCP timeout values on either our downstream Proxy (Blue Coat PRoxySG900) or the ASAs but as far as I know they are both set to there defaults. </SPAN></P><P></P><P><SPAN style="font-size: 10pt;">The proxy is masquerading the client's IP behind it's IP Address (192.168.30.133) and proxy is natted behind the ASA's OUTSIDE Interface IP Address.</SPAN></P><P></P><P>My Syslog Server is being flooded with messages like the ones below;</P><P></P><P>%ASA-4-106100: access-list outside_access_in denied tcp OUTSIDE/74.125.237.134(443) -&gt; INSIDE/192.168.30.133(64440)</P><P>%ASA-4-106100: access-list outside_access_in denied tcp OUTSIDE/54.230.72.134(80) -&gt; INSIDE/192.168.30.133(51842)</P><P></P><P><SPAN style="font-size: 10pt;">When I do a 'show asp drop' I see a huge amount of </SPAN><SPAN style="font-size: 10pt;">First TCP Packet not SYN ('</SPAN><SPAN style="font-size: 10pt;">tcp-not-syn') drops. I'm not sure whether these are being generated on the INSIDE or the OUTSIDE interface.</SPAN></P><P></P><P>sh asp drop </P><P> <SPAN style="font-size: 10pt;"> </SPAN></P><P>Frame drop:</P><P>&nbsp; Flow is denied by configured rule (acl-drop)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 95989</P><P>&nbsp; First TCP packet not SYN (tcp-not-syn)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 112941</P><P>&nbsp; Bad TCP flags (bad-tcp-flags)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 18</P><P>&nbsp; TCP data send after FIN (tcp-data-past-fin)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2</P><P>&nbsp; TCP failed 3 way handshake (tcp-3whs-failed)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3280</P><P>&nbsp; TCP RST/FIN out of order (tcp-rstfin-ooo)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 14993</P><P>&nbsp; TCP SYNACK on established conn (tcp-synack-ooo)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 9</P><P>&nbsp; TCP packet SEQ past window (tcp-seq-past-win)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2340</P><P>&nbsp; TCP invalid ACK (tcp-invalid-ack)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1</P><P>&nbsp; TCP RST/SYN in window (tcp-rst-syn-in-win)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 23</P><P>&nbsp; TCP packet failed PAWS test (tcp-paws-fail)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2567</P><P>&nbsp; FP L2 rule drop (l2_acl)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 240223</P><P>&nbsp; Dropped pending packets in a closed socket (np-socket-closed)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 285</P><P></P><P><SPAN style="font-size: 10pt;">Flow drop:</SPAN></P><P>&nbsp; Inspection failure (inspect-fail)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 18</P><P></P><P></P><P>Any assistance would be greatly appreciated!!</P><P></P><P>Best Regards</P><P></P><P>Brett Verney</P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P> Tue, 12 Mar 2019 02:21:13 GMT Brett Verney 2019-03-12T02:21:13Z ASA dropping legitimate returning Internet traffic https://community.cisco.com/t5/network-security/asa-dropping-legitimate-returning-internet-traffic/m-p/2295336#M345194 <P>Hi all,</P><P></P><P>I recently turned on on the 'stateful' feature on our Internet ASA's. It was once disabled completely due to an Asymmetric routing issue that existed within our network. I have managed to turn this back on for all but the subnets that require an Asymmetric routing path.</P><P></P><P>Now it seems that the ASA's are dropping a significant amount of packets on the OUTSIDE interface for legitimate returning TCP traffiic. At first glance I thought we were under some sort of attack; where the attacker was reversing the source and destination ports; but the source IP addresses are all legitimate well known websites. There does seem to be a ever so slight performance decrease when surfing the web.</P><P></P><P><SPAN style="font-size: 10pt;">I suspect this has something to do with TCP timeout values on either our downstream Proxy (Blue Coat PRoxySG900) or the ASAs but as far as I know they are both set to there defaults. </SPAN></P><P></P><P><SPAN style="font-size: 10pt;">The proxy is masquerading the client's IP behind it's IP Address (192.168.30.133) and proxy is natted behind the ASA's OUTSIDE Interface IP Address.</SPAN></P><P></P><P>My Syslog Server is being flooded with messages like the ones below;</P><P></P><P>%ASA-4-106100: access-list outside_access_in denied tcp OUTSIDE/74.125.237.134(443) -&gt; INSIDE/192.168.30.133(64440)</P><P>%ASA-4-106100: access-list outside_access_in denied tcp OUTSIDE/54.230.72.134(80) -&gt; INSIDE/192.168.30.133(51842)</P><P></P><P><SPAN style="font-size: 10pt;">When I do a 'show asp drop' I see a huge amount of </SPAN><SPAN style="font-size: 10pt;">First TCP Packet not SYN ('</SPAN><SPAN style="font-size: 10pt;">tcp-not-syn') drops. I'm not sure whether these are being generated on the INSIDE or the OUTSIDE interface.</SPAN></P><P></P><P>sh asp drop </P><P> <SPAN style="font-size: 10pt;"> </SPAN></P><P>Frame drop:</P><P>&nbsp; Flow is denied by configured rule (acl-drop)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 95989</P><P>&nbsp; First TCP packet not SYN (tcp-not-syn)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 112941</P><P>&nbsp; Bad TCP flags (bad-tcp-flags)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 18</P><P>&nbsp; TCP data send after FIN (tcp-data-past-fin)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2</P><P>&nbsp; TCP failed 3 way handshake (tcp-3whs-failed)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3280</P><P>&nbsp; TCP RST/FIN out of order (tcp-rstfin-ooo)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 14993</P><P>&nbsp; TCP SYNACK on established conn (tcp-synack-ooo)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 9</P><P>&nbsp; TCP packet SEQ past window (tcp-seq-past-win)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2340</P><P>&nbsp; TCP invalid ACK (tcp-invalid-ack)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1</P><P>&nbsp; TCP RST/SYN in window (tcp-rst-syn-in-win)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 23</P><P>&nbsp; TCP packet failed PAWS test (tcp-paws-fail)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2567</P><P>&nbsp; FP L2 rule drop (l2_acl)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 240223</P><P>&nbsp; Dropped pending packets in a closed socket (np-socket-closed)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 285</P><P></P><P><SPAN style="font-size: 10pt;">Flow drop:</SPAN></P><P>&nbsp; Inspection failure (inspect-fail)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 18</P><P></P><P></P><P>Any assistance would be greatly appreciated!!</P><P></P><P>Best Regards</P><P></P><P>Brett Verney</P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P> Tue, 12 Mar 2019 02:21:13 GMT https://community.cisco.com/t5/network-security/asa-dropping-legitimate-returning-internet-traffic/m-p/2295336#M345194 Brett Verney 2019-03-12T02:21:13Z