topic Re: ASA Blocking remote site in Network Security

ASA Blocking remote site

mo shea — Mon, 11 Mar 2019 16:44:04 GMT

Hi...

We have the following setup

Data Center--> 2 6506 Switches (vss)--> 2 ASAs (Active/Standby) Outside--> 7206 Router connecting several E1 (G.703) sites

OSPF is running on 6506, ASA, and routers.

ASA is running 7.0 code, no nat is configured

One of our remote sites connected via a 2mb E1 G.703 link was being denied by the asa, with many messages like the one below.

%asa-2-106001: Inbound tcp connection denied from "DataCenter server ip"/80 to "Remote site ip"/1535 flags syn ack on interface outside

I was also getting many messages like - UDP denied due to DNS reply. This site has been running fine for 2 months before this incident.

I was able to telnet from my pc (asa inside segment) to the remote site router, but couldnt get any further. None of the remote site users were able to access the dat center resources.

The problem was resolved when I shut down the serial interface on the 7206 router connecting to that site and no shut it again.

Now I do not suspect any syn attack since the connection was fine after the interface was reset.

Could it be asymmetric routing, Although this is a point to point link?

Can our SP cause asymetric routing? To be more specific can asymetric routing occur due to layer 2 issues? The reason behind my question is that previously we faced a link problem with the same remote site and it was SP related, they had 2 active connections to the site although we have 1 E1 circuit?

I wonder if there are any other reasons that I might have overlooked.

All Help is appreciated

Thanks

Re: ASA Blocking remote site

andrew.prince — Wed, 02 Dec 2009 14:30:43 GMT

You should check your router logs for OSPF routing changes to see if there was a loop/suboptimal route around the time this happend

Re: ASA Blocking remote site

mo shea — Wed, 02 Dec 2009 18:52:14 GMT

Thanks Andrew for reply.

Could you elaborate more on how a loop or suboptimal route could cause the ASA to drop traffic? The problematic site is connected to the main site via single p2p serial link.

Thanks again

Re: ASA Blocking remote site

andrew.prince — Thu, 03 Dec 2009 10:22:52 GMT

In your original post you posted:-

"%asa-2-106001: Inbound tcp connection denied from "DataCenter server ip"/80 to "Remote site ip"/1535 flags syn ack on interface outside"

Do you have an acl on the outside of the ASA in the oubound direction?

Re: ASA Blocking remote site

mo shea — Thu, 03 Dec 2009 20:10:14 GMT

I do not have any acls on the outbound direction. There is only one acl on the outside in the inbound direction. It feels strange that the ASA was blocking outbound traffic and to this site only, since other remote sites were accessing the DC freely.

I still wonder whether SP layer 2 issues can cause asymmetric routing that makes ASA to act this way

Thanks again

Re: ASA Blocking remote site

andrew.prince — Fri, 04 Dec 2009 11:05:19 GMT

It all has to do with the log entry - again I post it:-

"%asa-2-106001: Inbound tcp connection denied from "DataCenter server ip"/80 to "Remote site ip"/1535 flags syn ack on interface outside"

According to your diagram - below:-

Data Center--> 2 6506 Switches (vss)--> 2 ASAs (Active/Standby) Outside--> 7206 Router connecting several E1 (G.703) sites

Why would the ASA recevie a frame on the outside interface with a source IP of a data center device trying to get to a remote end device connected to another interface on the ASA? Unless the 7206 had a route/routes that indicated the next hop for the remote site was the ASA, or there is a posssible another physical loop between the 6506 and the 7206.

Again - check your routing logs at the time of the incident, to see if there is any other indication of a possible issue.

Re: ASA Blocking remote site

mo shea — Sat, 05 Dec 2009 12:17:25 GMT

Thanks Andrew for the explanation. It never hit me until you pointed out the log entry, twice . I will check it out in Monday.

Rds.

Re: ASA Blocking remote site

andrew.prince — Sat, 05 Dec 2009 13:30:56 GMT

np - it's all good.