https://community.cisco.com/t5/network-security/asa-log-deny-tcp-fin-ack-on-int-mgmt/m-p/1223977#M859730 <HTML><HEAD></HEAD><BODY><P>That is exactly my point and I would view this as a deficiency. The ASA should be able to properly terminate connections, especially from / to itself.</P><P> </P><P>Let me know if you agree or disagree with the assessment.</P><P> </P><P>Also, I opened a dialog on NetPro on this topic. Would you be willing to post your respose there too? At least one other person was seeking a resolution for this issue.</P><P> </P><P> </P><P>Thanks,</P><P> </P><P>Mike Palmer</P><P>Bremer Financial.</P></BODY></HTML> Fri, 22 May 2009 19:19:25 GMT mlpalmer 2009-05-22T19:19:25Z https://community.cisco.com/t5/network-security/asa-log-deny-tcp-fin-ack-on-int-mgmt/m-p/1223973#M859726 <P>While in ASDM via the management interface, I get ASA log entries every 30 seconds with 'deny TCP (no connection) from *** to ***/443 flags FIN ACK on interface management'. Operation of ASDM is not impacted, but I'd like to correct this if possible.</P> Mon, 11 Mar 2019 15:33:52 GMT https://community.cisco.com/t5/network-security/asa-log-deny-tcp-fin-ack-on-int-mgmt/m-p/1223973#M859726 mlpalmer 2019-03-11T15:33:52Z https://community.cisco.com/t5/network-security/asa-log-deny-tcp-fin-ack-on-int-mgmt/m-p/1223974#M859727 <HTML><HEAD></HEAD><BODY><P>I have exactly the same problem, and would love to know a fix too.</P></BODY></HTML> Tue, 19 May 2009 14:41:15 GMT https://community.cisco.com/t5/network-security/asa-log-deny-tcp-fin-ack-on-int-mgmt/m-p/1223974#M859727 handsy 2009-05-19T14:41:15Z https://community.cisco.com/t5/network-security/asa-log-deny-tcp-fin-ack-on-int-mgmt/m-p/1223975#M859728 <HTML><HEAD></HEAD><BODY><P>Opened a TAC case. I'll make sure the results get posted.</P></BODY></HTML> Fri, 22 May 2009 17:16:02 GMT https://community.cisco.com/t5/network-security/asa-log-deny-tcp-fin-ack-on-int-mgmt/m-p/1223975#M859728 mlpalmer 2009-05-22T17:16:02Z https://community.cisco.com/t5/network-security/asa-log-deny-tcp-fin-ack-on-int-mgmt/m-p/1223976#M859729 <HTML><HEAD></HEAD><BODY><P>I did a recreate in my lab.I saw the exact same behaviour.</P><P>What we all are seeing appears to be a normal behavior.</P><P> </P><P>When you load up ASDM, there is one main connection to the ASA interface on port 443 via which GUI is populated. The other possible connection</P><P>could be logging connection via which ASDM gets logs from ASA. </P><P> </P><P>Apart from this, if there is any command which you need to execute from ASDM, or when you navigate through ASDM windows/frames, most of them would cause ASDM to send a command to ASA and use the output to populate</P><P>the fields on GUI. These commands are *not* sent on the same connection via which GUI is visible, but via a new separate connection. As soon as</P><P>ASA gets the output, the connection is closed and the FIN+ACK is denied because connection no longer exists. </P><P></P></BODY></HTML> Fri, 22 May 2009 19:15:25 GMT https://community.cisco.com/t5/network-security/asa-log-deny-tcp-fin-ack-on-int-mgmt/m-p/1223976#M859729 suschoud 2009-05-22T19:15:25Z https://community.cisco.com/t5/network-security/asa-log-deny-tcp-fin-ack-on-int-mgmt/m-p/1223977#M859730 <HTML><HEAD></HEAD><BODY><P>That is exactly my point and I would view this as a deficiency. The ASA should be able to properly terminate connections, especially from / to itself.</P><P> </P><P>Let me know if you agree or disagree with the assessment.</P><P> </P><P>Also, I opened a dialog on NetPro on this topic. Would you be willing to post your respose there too? At least one other person was seeking a resolution for this issue.</P><P> </P><P> </P><P>Thanks,</P><P> </P><P>Mike Palmer</P><P>Bremer Financial.</P></BODY></HTML> Fri, 22 May 2009 19:19:25 GMT https://community.cisco.com/t5/network-security/asa-log-deny-tcp-fin-ack-on-int-mgmt/m-p/1223977#M859730 mlpalmer 2009-05-22T19:19:25Z