Logs being flooded by "%ASA-6-106015: Deny TCP (no connection)" alerts

handsy · ‎11-15-2010

I have a problem with "%ASA-6-106015: Deny TCP (no connection)" alerts flooding my logs on a small network recently built.

We have 2 load balancers at separate sites, each one is checking TCP port 4080 is open and active every few seconds on each server. The local checks, i.e. the load balancer checking the locally connected server, are working perfectly, the remote checks through an IPSEC L2L tunnel flag up these "%ASA-6-106015: Deny TCP (no connection)" alerts.

Although I see the alerts, the F5 still reports the servers as both (local and remote) up successfully.

Anyone experienced this behaviour with Cisco ASA5510s and F5s?

Thanks

P.S. my Cisco ASA5510s are running 8.3(1)6 OS.

Kureli Sankar · ‎11-15-2010

May be there is some delay over the tunnel. This message is logged for the following reasons.

1. asymmetry - meaning one direction traffic takes one way and the reverse directions takes another path (not through the firewall).

2. The response traffic is slow by the time it arrives, the request session has already timed out.

You need to look at the build and the treardown message for the same connection and find out why it logs these messages.

Here is the syslog link: http://www.cisco.com/en/US/docs/security/asa/asa83/system/message/logmsgs.html#wp4768951

-KS

apothula · ‎11-15-2010

Hi,

As per the precedents of Networking, the first packet of a TCP connection needs to be a SYN (SYNCHRONIZE) packet sent from a client to the Server.

Then the server should respond with a SYNACK, acknowledging the SYN sent by the client and the client sends an ACK acknowleding the same.

This is called the called the TCP 3-way hand shake.

So, the ASA would expect the first packet of a TCP connection to be a SYN packet, ie the SYN flag of the packet to be set and a connection entry would be formed from the said client's IP address to the Server's IP address.

If a client tries to send some data without the TCP 3 way hand-shake being completed, (connection entry being formed on the ASA), the ASA drops those packets with the above mentioned syslog message.

Probable causes might be that the actually timed out or closed and either the server or the client are not aware of it or a malicious host trying to send some data to the server.

Cheers,

Avinash.

handsy · ‎11-15-2010

Thanks for your help so far.

Here's some logs that might help:

Nov 15 2010 13:49:40: %ASA-6-302013: Built inbound TCP connection 2659826 for ipsec-prod:192.168.50.6/43841 (192.168.50.6/43841) to inside:192.168.51.1/4080 (192.168.51.1/4080)
Nov 15 2010 13:49:40: %ASA-6-302014: Teardown TCP connection 2659826 for ipsec-prod:192.168.50.6/43841 to inside:192.168.51.1/4080 duration 0:00:00 bytes 5003 TCP Reset-O
Nov 15 2010 13:49:40: %ASA-6-106015: Deny TCP (no connection) from 192.168.51.1/4080 to 192.168.50.6/43841 flags FIN PSH ACK on interface inside

Nov 15 2010 13:50:40: %ASA-6-302013: Built inbound TCP connection 2659932 for ipsec-prod:192.168.50.6/43900 (192.168.50.6/43900) to inside:192.168.51.1/4080 (192.168.51.1/4080)
Nov 15 2010 13:50:40: %ASA-6-302014: Teardown TCP connection 2659932 for ipsec-prod:192.168.50.6/43900 to inside:192.168.51.1/4080 duration 0:00:00 bytes 5003 TCP Reset-O
Nov 15 2010 13:50:40: %ASA-6-106015: Deny TCP (no connection) from 192.168.51.1/4080 to 192.168.50.6/43900 flags FIN PSH ACK on interface inside

Nov 15 2010 13:52:20: %ASA-6-302013: Built inbound TCP connection 2660100 for ipsec-prod:192.168.50.6/44000 (192.168.50.6/44000) to inside:192.168.51.1/4080 (192.168.51.1/4080)
Nov 15 2010 13:52:20: %ASA-6-302014: Teardown TCP connection 2660100 for ipsec-prod:192.168.50.6/44000 to inside:192.168.51.1/4080 duration 0:00:00 bytes 5003 TCP Reset-O
Nov 15 2010 13:52:20: %ASA-6-106015: Deny TCP (no connection) from 192.168.51.1/4080 to 192.168.50.6/44000 flags FIN PSH ACK on interface inside

As you can see a TCP connection is built, torn down, then denied all in less than a second!

For me this looks like a timing issue on the ASA? Do I need to fiddle with TCP maps?

Kureli Sankar · ‎11-15-2010

Nov 15 2010 13:49:40: %ASA-6-302013: Built inbound TCP connection 2659826 for ipsec-prod:192.168.50.6/43841 (192.168.50.6/43841) to inside:192.168.51.1/4080 (192.168.51.1/4080)
> Nov 15 2010 13:49:40: %ASA-6-302014: Teardown TCP connection 2659826 for ipsec-prod:192.168.50.6/43841 to inside:192.168.51.1/4080 duration 0:00:00 bytes 5003 TCP Reset-O
> Nov 15 2010 13:49:40: %ASA-6-106015: Deny TCP (no connection) from 192.168.51.1/4080 to 192.168.50.6/43841 flags FIN PSH ACK  on interface inside

The connection was torn down due to Rest-O which means the reset came from a host on the lower security interface. 
After which the .51.1 is trying to some more data for the same flow and since the conn isn't there anymore this packet is not allowed
and looged with the syslog 106015 message.

You need to figure out who sent the reset. Is this is VPN traffic I am afraid we will be able to capture the clear traffic on the ASA. 

May be a capture on the host 192.168.51.1 and another on 192.168.50.6 simultaneously will shed some light.

I hope there are no websense or other content filtering units in the path as these conns are getting torn same same second they are created.

-KS