12-15-2010 09:22 AM - edited 03-11-2019 12:22 PM
Hi,
I'm beeing bombarded with tons of the following critical syslog messages:
%ASA-session-2-106001: Inbound TCP connection denied from 62.40.54.215/2189 to 200.x.x.x/445 flags SYN on interface outside
%ASA-session-2-106001: Inbound TCP connection denied from 70.62.97.107/443 to 200.x.x.x/61215 flags SYN ACK on interface outside
%ASA-session-2-106001: Inbound TCP connection denied from 63.172.25.49/80 to 200.x.x.x/48385 flags FIN ACK on interface outside
%ASA-session-2-106001: Inbound TCP connection denied from 198.160.211.11/22 to 200.x.x.x/26518 flags FIN ACK on interface outside
%ASA-session-2-106001: Inbound TCP connection denied from 95.28.27.193/3141 to 200.x.x.x/445 flags SYN on interface outside
%ASA-session-2-106001: Inbound TCP connection denied from 190.134.144.194/4369 to 200.x.x.x/445 flags SYN on interface outside
%ASA-session-2-106001: Inbound TCP connection denied from 63.172.25.24/80 to 200.x.x.x/27633 flags ACK on interface outside
It started yesterday and I'm not sure what's causing it. It seems that someone is trying to get past firewall and hit our NATd servers on different ports, I see traffic being blocked from various IPs all over the world (spoofed most likely?). I got my ISP involved. Not sure what else to do. Any ideas?
thanks
12-15-2010 12:38 PM
Yes, It looks like an attack. here is the explanation of this emssage.
Explanation This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by the security policy that is defined for the specified traffic type. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the security appliance, and it was dropped. The tcp_flags in this packet are FIN and ACK.
The tcp_flags are as follows:
•ACK—The acknowledgment number was received.
•FIN—Data was sent.
•PSH—The receiver passed data to the application.
•RST—The connection was reset.
•SYN—Sequence numbers were synchronized to start a connection.
•URG—The urgent pointer was declared valid.
Since ASA has dropped those packet per policy, it should be OK for now.
If your inside host is providing a public service (outside can initiate traffic to that Host_IP/port), you might need to pay attention to it. They can initiate SYN by using spoofing IP to launch a dos attack. Please refer to the "Preventing Network Attacks" in confguration guide.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html
12-16-2010 10:47 AM
Ok, right before the problem started I made couple of changes on ASA: disabled U-turn and removed 1 NAT statement (both were part of deleted VPN tunnel). So I just re-enabled U-turn and suddenly all of the critical-level logging stopped. Can someone explain what is going on?
thanks again
12-16-2010 02:51 PM
Doesn't make any sense. Why would the firewall stop logging critical level messages?
Is it still in that state? May be there are no critical level logs to log. How about you move a level 6 message to level 2 to verify
conf t
logging message 302014 level 2
and see if teardown messages now start logging in level 2.
-KS
02-08-2014 11:58 AM
Issue the command Service resetinbound .Then ASA wont just silently drop the packets ;instead, it causes the ASA to immediately reset any inbound connection that is denied by the security policy notifying its IDENT service is unavailable for that outside user.So the server wont wait for the IDENT packet to time out its TCP connection;instead it immediately receives a reset packet.
10-12-2022 04:45 AM
Hi Forman,
This is not something that is related to your issue but I landed here while trying to fix my own which is -
How do I change the logs format from what you have posted above to the one mentioned below (Notice the session keyword)-
%ASA-2-106001: Inbound TCP connection denied from 198.160.211.11/22 to 200.x.x.x/26518 flags FIN ACK on interface outside
I am consuming all the events in a SIEM solution which has a default parser which cannot be modified and hence I require the logs to be in the mentioned format.
Is there a setting in ASDM or from the CLI that we change the log format.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide