topic No its living one and coming in Network Security

Issue with Telnet Session across ASA firewall (ASA Conn flags )

Chapwe378 — Sun, 10 Mar 2019 13:44:57 GMT

Hello,

I have an issue with a Connection am trying to set up i have an application that is connecting to a remote server via Telnet but (UNIX server) but every time a Syn /Ack is established it cuts the connection and resets the TCP connection. On the ASA firewall i have (5520) i keep getting the below flag from the source device to remote device under the show conn command.

TCP fmbmalawi 10.50.8.143:7500 inside 10.29.12.50:49403, idle 0:00:00, bytes 17, flags UfFRI

I need to Know why this is so cause all permissions have been done at IP Level and also, when i telnet from the source Device to remote server windows gives me a NO AUTHORIZATION PROMPT and kicks me out instantly after telnet session. i need to know if this is an application issue or it could be an IPS maybe in play at remote site causing this ?

Kind Regards

Chapwe

This can happen with non

Philip D'Ath — Tue, 10 Jan 2017 01:42:57 GMT

This can happen with non-symmetric traffic.

Any chance the traffic is leaving one interface but coming back on another?

UfFRI flag means

Pranay Prasoon — Tue, 10 Jan 2017 04:49:37 GMT

UfFRI flag means

U= 3-way handshake complete

f = Inside FIN

F= outside FIN

R= Inside Ack for outside FIN

I= Received inbound data

It seems for some reason both machine are sending FIN packets. It might be an application issue.

Can you try below command:-

sysopt connection timewait

My suspicion was Application

Chapwe378 — Tue, 10 Jan 2017 09:06:30 GMT

My suspicion was Application as well but i want to exhaust all IP scenarios first.

is this command for ASA cmd

Chapwe378 — Tue, 10 Jan 2017 09:08:17 GMT

is this command for ASA cmd or IPS terminal ?

sysopt connection timewait giving unrecognized in ASA

Try the command I suggested..

Pranay Prasoon — Tue, 10 Jan 2017 09:08:39 GMT

Try the command I suggested....This is not assymetric issue as the three way handshake is completing as we can see U flag

No its living one and coming

Chapwe378 — Tue, 10 Jan 2017 09:09:14 GMT

No its living one and coming back on the same interface.

It is ASA command....Please

Pranay Prasoon — Tue, 10 Jan 2017 09:32:44 GMT

It is ASA command....Please see command reference

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s17.html

Alright found the issue, it

Chapwe378 — Tue, 10 Jan 2017 11:04:35 GMT

Alright found the issue, it was an issue with the arp cache on one of the internal gateway routers before the ASA causing this so after clearing arp cache this was resolved.

Thanks for the assist all.

Kind Regards