Re: ASA - Orphaned Traffic

asidd · ‎09-05-2020

Hi All,

I have separate bidirectional rules in my firewall (ASA 5545-X) for different applications (including VoIP). What is puzzling here is if i capture logs for the traffic coming from OUTSIDE (of firewall) back into the segmented environment i am seeing entries that should have been logged under inside interfaces initiating those connections. Reason why i am saying that: i am seeing a lower end source port session logged under the OUTSIDE interface with a higher end DP. Examples:

SA: 10.100.11.20, SP: TCP(88) , DA=10.47.10.42, DP(50014 to 65408)

SA: 10.100.11.20, SP: UDP(53) , DA=10.47.10.37, DP(58146)

Is the firewall closing the session so it gets logged under a new session under OUTSIDE. Is there a timer issue here i need to check where it waits for a response and if it doesnt see it under a specific amount of time it will log it against the OUTSIDE rather than associating it to a session built from Inside (10.47.x.x)

Mohammed al Baqari · ‎09-06-2020

Hi,

Do a full packet capture to see the entire flow. I have seen this with smb
traffic where the connections are not closed properly at the server side
while they are already close at client side. This makes responses from
server appear as new conn on firewall especially if they have SYN flag.

*** please remember to rate useful posts

asidd · ‎09-06-2020

Thanks for the feedback. A quick question. Wouldn't firewall be independent of the client side closure. It is a transit device with it's own timeouts. Also i am seeing it on many different types of traffic SMB, DNS, LDAP etc. Every second or third flow is like this. This is happening so often that it looks like this is normal behaviour.

asidd · ‎09-07-2020

Any further comments on these from any experts out there?