cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8100
Views
5
Helpful
14
Replies

ASA ACL logging return traffic

pwu
Beginner
Beginner

I have an ASA running 8.0(4).  I am auditing the connections that are flowing through the firewall.  I have done this by adding an 'ip any any log' rule to the end of my configued ACL's so that I can see what type of traffic is not matching.

What I am seeing in the log is what looks like return traffic, or the SYN/ACK from a connection attempt.  It is confusing because the log shows the source and destination to be opposite of what I would expect.  I would expect the firewall to maintain state and the ACL to not care about return packets.  Is this standard behavior on the ASA, or is this a bug?  Is there a way to suppress this output if it really is just return packets that the ASA will allow by default.

14 Replies 14

Phillip Strelau
Cisco Employee
Cisco Employee

Hi Patrick,

     Most likely there is a connection timeout happening on the ASA and when the outside host goes to respond, the ASA has no connection table entry for this packet, and the packet drop is logged. If the ASA had a connection table entry for this traffic you would not be seeing this log. I would suggest capturing all traffic going to the remote host to confirm that this is the case.

--Phil

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c1.html#wp2129312

Thank you for the reply.  I'm fairly confident that the connection is not timing out, however.  The logs clearly indicate that it is allowing these connections, not dropping them.  If there were timeouts, the ASA would drop the packet right away and it would not show up as a permited connection through the ACL.  At least that is the behavior I have always seen on the ASA when it receives a connectionless packet.  Also, there are no indication that connectivity is failing to the servers.

Has anyone else seen this behavior?