topic Re: Return traffic from port 80 denied in Network Security

Return traffic from port 80 denied

scottyd — Mon, 11 Mar 2019 13:29:42 GMT

Hi all,

I have seen this a lot with routers and PIXs. Traffic with a source port of port 80 and destination of a dynamic port is denied on the outside interface.

The traffic is from legitimate web servers that users are browsing through the NATed inspected interface. The websites appear to be working fine though. It does produce a lot of denies in my MARS logging though.

It this normal or do I have a config problem? Is there something up with the web server not returning traffic correctly?

I have attached the sanitised config.

Re: Return traffic from port 80 denied

Marwan ALshawi — Tue, 12 Aug 2008 05:15:48 GMT

try to add the

inspect http

to the

policy-map global_policy

class inspection_default

good luck

Re: Return traffic from port 80 denied

fsmontenegro — Tue, 12 Aug 2008 11:25:04 GMT

Hi,

I'm seeing something similar on ASAs with 7.2(4): very, very busy logging because of connections that are "denied" usually related to the regular traffic.

The best explanation I have so far (I'm still researching) is that the client connections (or server, for that matter) are being closed with TCP Resets from one side and any traffic from the other side gets immediately denied as the PIX/ASA clears the state table for that connection.

It is also making a mess of my MARS logging...

Re: Return traffic from port 80 denied

robertson.michael — Tue, 12 Aug 2008 21:15:21 GMT

Hi,

I would start by taking a look at a couple of things:

1. Do you see the connection being built as the initial SYN comes through? If so, what interfaces is the connection built between?

2. What do the syslogs show as a deny reason? If you see the packet being denied due to "no connection", do the interfaces involved match the ones that you saw when the connection was built?

Often times, this behavior will be caused by asymmetric routing/alternate paths to the Internet in your network. As an example, the initial SYN of the TCP connection may find its way out to the Internet through a path other than the firewall. The web server will still receive this SYN and respond with a SYN-ACK as expected. However, when this SYN-ACK hits the outside interface of the ASA, the ASA will drop the traffic because it never saw the initial SYN and it believes that the SYN-ACK is unsolicited.

Take a look at the syslogs that show if the initial connection is being built and also the logs that show the reason why the return traffic is being denied. Also, packet captures will be useful in figuring out exactly how the packets are flowing through your network.

Hope that helps.

-Mike

Re: Return traffic from port 80 denied

scottyd — Tue, 12 Aug 2008 21:42:02 GMT

Thanks all for your feedback.

I have tried the inspect http command and have yet to see traffic on port 80 being denied. Not sure if it has been resolved yet. However I am still getting problems for HTTPS.

It seems to me that the connection is built up then it is torn down 10 seconds later and packets are denied. Then it is built up again.

I have attached the log from MARS. It is in reverse order in time. I have replaced the public IP with 1.1.1.1 and the website as 2.2.2.2.

thanks

Scott

Re: Return traffic from port 80 denied

joe.favia — Wed, 13 Aug 2008 13:43:33 GMT

Hi,

I've seen this type of error when there are routing problems in ACTIVE-ACTIVE firewall configurations, but this doesn't seem to be your case.

Joe

Re: Return traffic from port 80 denied

robertson.michael — Wed, 13 Aug 2008 18:21:43 GMT

Hi Scott,

It looks like the logs show your connection being torn down due to normal TCP FINs. I would recommend getting packet captures on both sides of the firewall to see exactly what the connection looks like.

-Mike

Re: Return traffic from port 80 denied

scottyd — Tue, 14 Oct 2008 02:48:45 GMT

Thanks for your input so far.

I still can not find the problem. Unfortunatly it is diffcult for me to sniff the traffic, as it is remote to me.

I am also seeing Resets tearing down the connection. Is there a way of extending the teardown time?

<134>Oct 14 2008 15:48:01: %ASA-6-302014: Teardown TCP connection 317Â7146 for outside:198.133.219.25/80 to inside:172.16.0.29/2158 duration 0:00Â:02 bytes 5191 TCP Reset-I

<134>Oct 14 2008 15:48:01: %ASA-6-106100: access-list outside_access_Âin denied tcp outside/198.133.219.25(80) -> inside/2.2.2.2(44219)Â hit-cnt 1 first hit [0x2c1c6a65, 0x0]