I just deployed a 5525-x. I am doing dynamic PAT from the inside to the outside interface. I noticed I am having a lot of these activities logged in my syslog server.
access-list outside_access_in denied tcp outside/22.214.171.124(80) -> inside/172.29.6.50(52055) hit-cnt 1 first hit [0x2c1c6a65, 0x0]
access-list outside_access_in denied udp outside/126.96.36.199(53) -> DMZOUTSIDE/192.168.1.100(63313) hit-cnt 1 first hit [0x2c1c6a65, 0x0]
(syslog id - 106100)
What this appears to be is return traffic to my inside hosts. What is strange though is everything appears to be working correctly. Any ideas as to why the ASA drops/logs this info?
Does not make any sense as everything is working fine...One question..
Is the ASA the only available way out on your network. I mean the internal users and DMZ can only go out via the ASA, there is no other gateway or rogue device providing internet to the outside, so we could be seeing asymetric routing?
Sorry for the late reply. I wanted to rule out asymetric routing as I was in the process of migrating users over to the ASA. That has been ruled out, only one way in and out and that is through the ASA.
I am still seeing the drops logged. I am using Manual NAT (after auto) to the outside interface to dynamically pat. I have added an explicit deny all to the end of my outside_in access list, which is what is catching all these entries.
And everything is working perfect right?
Hmm Are you still getting the logs for that particular 188.8.131.52, if yes please proceed with a capture on the outside interface to see what is going on
Ouch.....after evaluating LOTS of traffic, I think I have seen some patterns.
The 184.108.40.206 log entry seems to come after the DNS server sends a "server fault" reply.
The other entries all seem to come from late traffic? I will see a http [RST, ACK] sent from the inside host to the web server, then right after that I will see several packets arrive (wireshark labels them as - TCP segment of a reassembled PDU). ASA drops the packets and throws the log entry.
Sounds like the ASA is doing what it should be doing, but since I am logging 3-4,000 of these an hour......
I just added a deny ip any any to the end of a different ASA (my home) and I seem to noticing the same amount of log activity.
An ASA on your place NICE .... I want to get one as well....
Is the same kind of drops the ones you are seeing on your ASA,
I mean with the deny ip any any at the end you are gonna get way to much information. that depending on what kind of traffic is expected.
Can you create the following:
cap asp type asp-drop all circular-buffer
Then let it go over a few seconds and share the following:
show cap asp | include x.x.x.x ( Where this is the IP address of the traffic being dropped that you are troubleshooting)