Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10523
Views
5
Helpful
5
Replies

ASA 5510 session-2-106001: Inbound TCP connection denied

forman102
Level 1
Level 1

‎12-15-2010 09:22 AM - edited ‎03-11-2019 12:22 PM

Hi,

I'm beeing bombarded with tons of the following critical syslog messages:

%ASA-session-2-106001: Inbound TCP connection denied from 62.40.54.215/2189 to 200.x.x.x/445 flags SYN  on interface outside

%ASA-session-2-106001: Inbound TCP connection denied from 70.62.97.107/443 to 200.x.x.x/61215 flags SYN ACK  on interface outside

%ASA-session-2-106001: Inbound TCP connection denied from 63.172.25.49/80 to 200.x.x.x/48385 flags FIN ACK  on interface outside

%ASA-session-2-106001: Inbound TCP connection denied from 198.160.211.11/22 to 200.x.x.x/26518 flags FIN ACK  on interface outside

%ASA-session-2-106001: Inbound TCP connection denied from 95.28.27.193/3141 to 200.x.x.x/445 flags SYN  on interface outside

%ASA-session-2-106001: Inbound TCP connection denied from 190.134.144.194/4369 to 200.x.x.x/445 flags SYN  on interface outside

%ASA-session-2-106001: Inbound TCP connection denied from 63.172.25.24/80 to 200.x.x.x/27633 flags ACK  on interface outside

It started yesterday and I'm not sure what's causing it. It seems that someone  is trying to get past firewall and hit our NATd servers on different  ports, I see traffic being blocked from various IPs all over the world  (spoofed most likely?). I got my ISP involved. Not sure what else to do.  Any ideas?

thanks

Labels:
0 Helpful
5 Replies 5

Yudong Wu
Level 7
Level 7

‎12-15-2010 12:38 PM

Yes, It looks like an attack. here is the explanation of this emssage.

Explanation   This is a connection-related message. This message occurs when an attempt to connect  to an inside address is denied by the security policy that is defined for the specified traffic type.  Possible tcp_flags values correspond to the flags in the TCP header that were present when the  connection was denied. For example, a TCP packet arrived for which no connection state exists in  the security appliance, and it was dropped. The tcp_flags in this packet are FIN and ACK.

The tcp_flags are as follows:

ACK—The acknowledgment number was received.

FIN—Data was sent.

PSH—The receiver passed data to the application.

RST—The connection was reset.

SYN—Sequence numbers were synchronized to start a connection.

URG—The urgent pointer was declared valid.

Since ASA has dropped those packet per policy, it should be OK for now.

If your inside host is providing a public service (outside can initiate traffic to that Host_IP/port), you might need to pay attention to it. They can initiate SYN by using spoofing IP to launch a dos attack. Please refer to the "Preventing Network Attacks" in confguration guide.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html

0 Helpful

forman102
Level 1
Level 1
In response to Yudong Wu

‎12-16-2010 10:47 AM

Ok, right before the problem started I made couple of changes on ASA: disabled U-turn and removed 1 NAT statement (both were part of deleted VPN tunnel). So I just re-enabled U-turn and suddenly all of the critical-level logging stopped. Can someone explain what is going on?

thanks again

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to forman102

‎12-16-2010 02:51 PM

Doesn't make any sense. Why would the firewall stop logging critical level messages?

Is it still in that state? May be there are no critical level logs to log. How about you move a level 6 message to level 2 to verify

conf t

logging message 302014 level 2

and see if teardown messages now start logging in level 2.

-KS

0 Helpful

prajithtr_2
Level 1
Level 1

‎02-08-2014 11:58 AM

Issue the command Service resetinbound .Then ASA wont just silently drop the packets ;instead, it causes the ASA to immediately reset any inbound connection that is denied by the security policy notifying its IDENT service is unavailable for that outside user.So the server wont wait for the IDENT packet to time out its TCP connection;instead it immediately receives a reset packet.

rraj1788
Level 1
Level 1

‎10-12-2022 04:45 AM

Hi Forman,

This is not something that is related to your issue but I landed here while trying to fix my own which is -

How do I change the logs format from what you have posted above to the one mentioned below (Notice the session keyword)-

%ASA-2-106001: Inbound TCP connection denied from 198.160.211.11/22 to 200.x.x.x/26518 flags FIN ACK  on interface outside

I am consuming all the events in a SIEM solution which has a default parser which cannot be modified and hence I require the logs to be in the mentioned format.

Is there a setting in ASDM or from the CLI that we change the log format.

Regards.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card