Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
512
Views
0
Helpful
2
Replies

ASA5505 blocking return traffic

drice11089
Level 1
Level 1

‎09-03-2013 01:35 PM - edited ‎03-11-2019 07:33 PM

Our network has slowed to a crawl and upon investigation it looks as if the ASA5505 is blocking returning traffic. The syslog is full of these from legitimate sites:

2013-08-30 16:58:01 local4.critical 192.168.1.254  Aug 30 2013 16:53:38: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/46099 flags PSH ACK  on interface outside\n

2013-08-30 16:58:03 local4.critical 192.168.1.254  Aug 30 2013 16:53:40: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/31820 flags ACK  on interface outside\n

I'm not really sure where to go next so any help would be appreciated.

2013-08-30 16:58:01 local4.critical 192.168.1.254  Aug 30 2013 16:53:38: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/46099 flags PSH ACK  on interface outside\n

2013-08-30 16:58:03 local4.critical 192.168.1.254  Aug 30 2013 16:53:40: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/31820 flags ACK  on interface outside\n

We are also using Websense. I have a 'filter except' exception for the above examples (207.131.246.15) for both http and https. I have also reduced MTU to 1472 on the outside just to test. I also upgraded from 256 to 512 memory thinking maybe it was being stressed.

It seems to work for a while and then out of nowhere shuts everyone down from wherever they are browsing and then about 20 seconds to a minute later it starts up again.

I'm not really sure where to go next.

I have attached (what I hope is) a scrubbed config.

Thank you.

Labels:
15366798-asa5505.txt.zip
0 Helpful
2 Replies 2

Michael Muenz
Level 5
Level 5

‎09-06-2013 06:11 AM

Are there all sites affected or only the one mentioned?

Do you have 2 uplinks and running into  asymmetric routing error?

https://supportforums.cisco.com/docs/DOC-14491

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
0 Helpful

drice11089
Level 1
Level 1
In response to Michael Muenz

‎09-06-2013 08:09 AM

I looked for asymmetric routing. We have one other router attached to the internet but that just does VPN to a datacenter and has a specific route set up on the gateway for it. Nothing else should be getting to it other than the single IP address routed to it.

It seems to be affecting any ip address that needs a persistant connection. As an example I had to download Chrome to a PC this morning and it kept losing connection about 50% through the download. So from my experiments what I can tell is that it makes the first connection no problem, but quickly dies after that and a new connection has to be made. Also when this happens the IP address being accessed shows up in the "SYN Attack" list in ADSM. I have attached an image of the issue. The number one item on the list is a website we use all day long.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card