doubt with ASA log

Diego Maciel Gomes — Tue, 12 Mar 2019 00:31:33 GMT

Hello all,

I'm receiving this flood line like below in my log, look:

Dec 3 16:05:00 10.11.2.2 %ASA-6-106015: Deny TCP (no connection) from 172.19.2.50/54429 to 10.11.5.20/5666 flags PSH ACK on interface inside

When I'm in 172.19.2.50 server, I can connect into 10.11.5.20 on tcp/5666 port.

So, Why am I receiving those messages in my log?

Thanks.

Diego

doubt with ASA log

Julio Carvajal — Mon, 03 Dec 2012 20:39:30 GMT

Hello,

Looks like at the time you are receving the log the ASA has already closed the TCP connection so he does not expect a TCP PSH packet , he needs to see the three way handshake again,

Why are they exchanging info after the connection got closed??

Do you have the teardown-connection log for that specific connection, I want to see how much time happens between the FIN packets and the PSH ACK.

So if you have them, share them

Regards,

doubt with ASA log

Diego Maciel Gomes — Tue, 04 Dec 2012 11:01:23 GMT

Hi,

Follow the log:

Dec 4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.19/0 gaddr 172.19.4.113/53027 laddr 172.19.4.113/53027

Dec 4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/54051 laddr 172.19.4.113/54051

Dec 4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/54051 laddr 172.19.4.113/54051

Dec 4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.20/0 gaddr 172.19.4.113/54563 laddr 172.19.4.113/54563

Dec 4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.17/0 gaddr 172.19.4.113/55331 laddr 172.19.4.113/55331

Dec 4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.20/0 gaddr 172.19.4.113/54563 laddr 172.19.4.113/54563

Dec 4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.17/0 gaddr 172.19.4.113/55331 laddr 172.19.4.113/55331

Dec 4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.13/0 gaddr 172.19.4.113/58915 laddr 172.19.4.113/58915

Dec 4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.13/0 gaddr 172.19.4.113/58915 laddr 172.19.4.113/58915

Dec 4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.15/0 gaddr 172.19.4.113/48675 laddr 172.19.4.113/48675

Dec 4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.15/0 gaddr 172.19.4.113/48675 laddr 172.19.4.113/48675

Dec 4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.10/0 gaddr 172.19.4.113/46883 laddr 172.19.4.113/46883

Dec 4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.10/0 gaddr 172.19.4.113/46883 laddr 172.19.4.113/46883

Dec 4 08:55:33 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670306 for dmz:10.11.7.20/5666 (10.11.7.20/5666) to inside:172.19.4.113/51467 (172.19.4.113/51467)

Dec 4 08:55:33 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670306 for dmz:10.11.7.20/5666 to inside:172.19.4.113/51467 duration 0:00:00 bytes 2792 TCP FINs

Dec 4 08:55:34 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670308 for dmz:10.11.7.21/5666 (10.11.7.21/5666) to inside:172.19.4.113/43008 (172.19.4.113/43008)

Dec 4 08:55:34 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670308 for dmz:10.11.7.21/5666 to inside:172.19.4.113/43008 duration 0:00:00 bytes 2792 TCP FINs

Dec 4 08:55:37 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670312 for dmz:10.11.7.17/5666 (10.11.7.17/5666) to inside:172.19.4.113/60040 (172.19.4.113/60040)

Dec 4 08:55:37 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670313 for dmz:10.11.7.17/5666 (10.11.7.17/5666) to inside:172.19.4.113/60041 (172.19.4.113/60041)

Dec 4 08:55:37 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670313 for dmz:10.11.7.17/5666 to inside:172.19.4.113/60041 duration 0:00:00 bytes 840 TCP FINs

Dec 4 08:55:37 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670312 for dmz:10.11.7.17/5666 to inside:172.19.4.113/60040 duration 0:00:00 bytes 840 TCP Reset-O

Dec 4 08:55:37 10.11.2.2 %ASA-6-106015: Deny TCP (no connection) from 172.19.4.113/60040 to 10.11.7.17/5666 flags PSH ACK on interface inside

Dec 4 08:55:39 10.11.2.2 %ASA-6-302016: Teardown UDP connection 1670103 for inside:172.19.4.113/55775 to identity:10.11.2.2/161 duration 0:02:01 bytes 144

Dec 4 08:55:44 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333

Dec 4 08:55:44 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333

Dec 4 08:55:45 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333

Dec 4 08:55:45 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333

Dec 4 08:55:46 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333

Dec 4 08:55:46 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333

Dec 4 08:55:46 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670322 for dmz:10.11.7.17/5666 (10.11.7.17/5666) to inside:172.19.4.113/60055 (172.19.4.113/60055)

Dec 4 08:55:46 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670322 for dmz:10.11.7.17/5666 to inside:172.19.4.113/60055 duration 0:00:00 bytes 824 TCP Reset-O

Dec 4 08:55:46 10.11.2.2 %ASA-6-106015: Deny TCP (no connection) from 172.19.4.113/60055 to 10.11.7.17/5666 flags PSH ACK on interface inside

Dec 4 08:55:47 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333

Dec 4 08:55:47 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333

Dec 4 08:55:48 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333

Dec 4 08:55:48 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333

Dec 4 08:55:51 10.11.2.2 %ASA-6-302016: Teardown UDP connection 1670115 for inside:172.19.4.113/53500 to identity:10.11.2.2/161 duration 0:02:01 bytes 152

Dec 4 08:55:56 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670335 for dmz:10.11.7.20/5666 (10.11.7.20/5666) to inside:172.19.4.113/51507 (172.19.4.113/51507)

Dec 4 08:55:56 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670335 for dmz:10.11.7.20/5666 to inside:172.19.4.113/51507 duration 0:00:00 bytes 2792 TCP FINs

Dec 4 08:55:57 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670336 for dmz:10.11.7.17/5666 (10.11.7.17/5666) to inside:172.19.4.113/60070 (172.19.4.113/60070)

Dec 4 08:55:57 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670336 for dmz:10.11.7.17/5666 to inside:172.19.4.113/60070 duration 0:00:00 bytes 840 TCP FINs

doubt with ASA log

Julio Carvajal — Tue, 04 Dec 2012 17:33:43 GMT

Hello Diego,

Here is what the logs show us:

Dec 4 08:55:37 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670312 for dmz:10.11.7.17/5666 to inside:172.19.4.113/60040 duration 0:00:00 bytes 840 TCP Reset-O

Dec 4 08:55:37 10.11.2.2 %ASA-6-106015: Deny TCP (no connection) from 172.19.4.113/60040 to 10.11.7.17/5666 flags PSH ACK on interface inside

Based on those logs I can tell you that the DMZ host is sending a Reset Packet, so the connection gets closed, afterwards the same host sends a packet but as the connection is already closed the ASA will drop the packet.

You could try a TCP state-bypass rule to make this happen but the question here is why is not the client starting a new connection...

Can you add the following command and check what happens:

service resetinbound

Regards

topic doubt with ASA log in Network Security

doubt with ASA log

doubt with ASA log

doubt with ASA log

doubt with ASA log