02-11-2019 12:55 AM - edited 02-21-2020 08:47 AM
Hi all,
I'm seeing weird log entries on my firewall. Like this:
2019-02-11 09:22:55 Local6.Notice 192.168.10.10 Feb 11 2019 09:23:03: %ASA-5-106100: access-list VLAN100_access_in permitted tcp VLAN100/172.24.2.163(8021) -> VLAN200/172.24.0.163(51804) hit-cnt 1 first hit [0xa31bbc5d, 0x00000000]
The weird thing is: it looks like it's a reply (since the destination port is a random one). Does anyone have a idea why i'm seeing this traffic in this log rule?
Could this mean that for some reason the host at 172.24.2.163 dropped his former connection and setup a new TCP connection to the host at 172.24.0.163?
02-11-2019 02:12 AM
02-11-2019 03:54 AM - edited 02-11-2019 03:55 AM
Hi socratesp1980,
Thanks for the information! Doing a packet capture is no problem, but i'm wondering how i should perform the packet capture. In this case, the VLAN100 IP is indeed the server, and VLAN200 is the client.
If i would just capture all in and outbound traffic from the server in VLAN100, how would i distinguish this exact traffic? Should i try a capture with the source port in this case? Cause the tcp/8021 is indeed the right traffic.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: