cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1885
Views
0
Helpful
2
Replies
Highlighted
Beginner

Deny TCP (no connection) RST ACK

ASA 5520

 

Logs are flooded with multiple Deny TCP entries on interface inside.  From internal user IPs to unknown outside public IPs: 

 

Deny TCP (no connection) from 172.26.x.x/63422 to 216.58.216.98/443 flags RST ACK on interface inside

Deny TCP (no connection) from 172.26.x.x/62898 to 104.16.27.235/80 flags RST ACK  on interface inside

Deny TCP (no connection) from 172.26.x.x/62315 to 208.111.168.7/80 flags RST ACK  on interface inside

 

 

Looking to see if these are normal or something to look into?  Let me know if there's anything else I can post

Everyone's tags (5)
2 REPLIES 2
Cisco Employee

Hi,I think these are not

Hi,

I think these are not normal if they are showing up in large volume.

The logs says that the TCP packet was dropped with the (RST ACK) flag.

Now , the thing is we have to find out why the RST are coming in for these internal Hosts.

It can be different reasons for that(Asymmetric routing , External proxy etc) so you would have to check the captures for the complete stream thru the ASA device and see what you are able to see for the connection.

Thanks and Regards,

Vibhor Amrodia

Enthusiast

 This may help in trying to

 

This may help in trying to figure out why these are being denied

216.58.216.98 is Google

104.16.27.235 is Cloud Flare Net

208.111.168.7 is Limelight Networks

 

HTH

Frank