cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5872
Views
0
Helpful
1
Replies

ASA5515 - %ASA-4-434002: SFR requested to drop TCP packet from ...

Ve Con
Level 1
Level 1

I am looking at the ASA syslog for my website IP.  I found lots of logs like this happened at exact same time and second and date (for different port, eg. 33670, 336578), appeared 31x and then 2 mins later, appear 31x again.

 

%ASA-4-434002: SFR requested to drop TCP packet from DMZ:<site IP>/443 to EXTERNAL:52.55.179.122/36520

 

At the same date and time (slightly different with seconds), on my web server, system event log shows error for Schannel:

 

Event ID 36888
The following fatal alert was generated: 40. The internal error state is 1205.

Event ID 36874
An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

 

Questions:

1) if SFR can detect and drop the packet from that EXTERNAL IP, then why web server still receive those Schannel error messages? I assume SFR drop the packets before they can reach the web server.  So, those schannel errors shouldn't appear on the system event log at all.  Did i misunderstand somewhere?

 

2) Why the same ASA message ID: %ASA-4-434002: appears 2 mins later on the syslog server? Reported by the same host name (primary/active).

 

3) I have lots of these 434002 warning messages from syslogs, they are all from amazon.com web service / data center.  Any recommendation for preventing them to hit my site? Each time, different IP was reported, i don't think blocking the IP is an effective way.

1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

What type of event is generated on the Firepower? From the looks of it, the Firepower looks to be dropping the return traffic (server to client). This packet may be triggering some sort of rule on the IPS causing it to be dropped. 

 

I have seen similar symptoms for SSL traffic with the following signature on the Firepower:

 

[1:30514:9] "SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"

 

You might want to check the same on your Firepower system.

Review Cisco Networking for a $25 gift card