5525-x, 8.6 drop log entries?

Dave Phillips · ‎02-18-2013

I just deployed a 5525-x. I am doing dynamic PAT from the inside to the outside interface. I noticed I am having a lot of these activities logged in my syslog server.

access-list outside_access_in denied tcp outside/184.168.232.7(80) -> inside/172.29.6.50(52055) hit-cnt 1 first hit [0x2c1c6a65, 0x0]

access-list outside_access_in denied udp outside/8.8.8.8(53) -> DMZOUTSIDE/192.168.1.100(63313) hit-cnt 1 first hit [0x2c1c6a65, 0x0]

(syslog id - 106100)

What this appears to be is return traffic to my inside hosts. What is strange though is everything appears to be working correctly. Any ideas as to why the ASA drops/logs this info?

Julio Carvajal · ‎02-21-2013

Hello Dave,

Does not make any sense as everything is working fine...One question..

Is the ASA the only available way out on your network. I mean the internal users and DMZ can only go out via the ASA, there is no other gateway or rogue device providing internet to the outside, so we could be seeing asymetric routing?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Dave Phillips · ‎03-06-2013

Sorry for the late reply. I wanted to rule out asymetric routing as I was in the process of migrating users over to the ASA. That has been ruled out, only one way in and out and that is through the ASA.

I am still seeing the drops logged. I am using Manual NAT (after auto) to the outside interface to dynamically pat. I have added an explicit deny all to the end of my outside_in access list, which is what is catching all these entries.

Julio Carvajal · ‎03-06-2013

Hi,

And everything is working perfect right?

Hmm Are you still getting the logs for that particular 8.8.8.8, if yes please proceed with a capture on the outside interface to see what is going on

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Dave Phillips · ‎03-12-2013

Ouch.....after evaluating LOTS of traffic, I think I have seen some patterns.

The 8.8.8.8 log entry seems to come after the DNS server sends a "server fault" reply.

The other entries all seem to come from late traffic? I will see a http [RST, ACK] sent from the inside host to the web server, then right after that I will see several packets arrive (wireshark labels them as - TCP segment of a reassembled PDU). ASA drops the packets and throws the log entry.

Sounds like the ASA is doing what it should be doing, but since I am logging 3-4,000 of these an hour......

UPDATE:

I just added a deny ip any any to the end of a different ASA (my home) and I seem to noticing the same amount of log activity.

Julio Carvajal · ‎03-12-2013

Hello Dave,

An ASA on your place NICE .... I want to get one as well....

Is the same kind of drops the ones you are seeing on your ASA,

I mean with the deny ip any any at the end you are gonna get way to much information. that depending on what kind of traffic is expected.

Can you create the following:

cap asp type asp-drop all circular-buffer

Then let it go over a few seconds and share the following:

show cap asp | include x.x.x.x ( Where this is the IP address of the traffic being dropped that you are troubleshooting)

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Dave Phillips · ‎03-13-2013

Not really getting much new info from the ASP capture, but I am beginning to think the drops I am seeing here is perfectly normal. It just caught me by surprise.

This is been a great learning experience and I appreciate your help.

Julio Carvajal · ‎03-13-2013

Hello Dave,

Yeah that's what I would think,

Glad to hear that I could help

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC