I'm seeing weird log entries on my firewall. Like this:
2019-02-11 09:22:55 Local6.Notice 192.168.10.10 Feb 11 2019 09:23:03: %ASA-5-106100: access-list VLAN100_access_in permitted tcp VLAN100/172.24.2.163(8021) -> VLAN200/172.24.0.163(51804) hit-cnt 1 first hit [0xa31bbc5d, 0x00000000]
The weird thing is: it looks like it's a reply (since the destination port is a random one). Does anyone have a idea why i'm seeing this traffic in this log rule?
Could this mean that for some reason the host at 172.24.2.163 dropped his former connection and setup a new TCP connection to the host at 172.24.0.163?
Thanks for the information! Doing a packet capture is no problem, but i'm wondering how i should perform the packet capture. In this case, the VLAN100 IP is indeed the server, and VLAN200 is the client.
If i would just capture all in and outbound traffic from the server in VLAN100, how would i distinguish this exact traffic? Should i try a capture with the source port in this case? Cause the tcp/8021 is indeed the right traffic.