Connection failing intermittantly - ASA 5520 ver 8.3(1)

stuart.jones · ‎10-20-2011

Hi,

I'm hoping someone might be able to offer some help, i am coming to my wits end trying to figure this one out, i hope i'm missing the obvious.

I have a server in a DMZ behind the ASA, connections to this server work sometimes and then fail others, so I dont think i'm looking at an ACL or NAT problem here.

The syslogs report a SYN Timeout, but i dont think thats the whole story

I have taken a trace on the ASA, it seems that a SYN-ACK does come from the destination server within the 30sec timeout, but its not passed through the ASA back to the source, my question is why ?

There is one odd thing, what seems to be an out of sequence ACK from the destination which arrives before the SYN-ACK at the ASA, i'm wondering if this might be the problem ? This only occurs on the connections which fail, the connections that work, the destination responds quickly to the initial SYN, and the 3way handshake completes.

I have taken a snapshot of the trace from Wireshark, and the syslogs too, any help would be most appreciated. FYI, the destination used to sit behind a Check Point where apparently this wasnt an issue.

Syslogs :

Oct 18 19:17:32 nzlsudfedsi001-pri Oct 18 2011 19:17:32 NZLSUDFEDSI001 : %ASA-6-302013: Built outbound TCP connection 42327212 for IIP-ARCHIVE-PROD:172.24.32.31/21 (172.24.32.31/21) to BPO-TRANSIT:x.x.x.x/59392 (x.x.x.x/59392)

Oct 18 19:18:02 nzlsudfedsi001-pri Oct 18 2011 19:18:02 NZLSUDFEDSI001 : %ASA-6-302014: Teardown TCP connection 42327212 for IIP-ARCHIVE-PROD:172.24.32.31/21 to BPO-TRANSIT:x.x.x.x/59392 duration 0:00:30 bytes 0 SYN Timeout

Oct 18 19:18:22 nzlsudfedsi001-pri Oct 18 2011 19:18:22 NZLSUDFEDSI001 : %ASA-6-106015: Deny TCP (no connection) from 172.24.32.31/21 to x.x.x.x/59392 flags SYN ACK on interface IIP-ARCHIVE-PROD

Oct 18 19:19:16 nzlsudfedsi001-pri Oct 18 2011 19:19:16 NZLSUDFEDSI001 : %ASA-6-106015: Deny TCP (no connection) from 172.24.32.31/21 to x.x.x.x/59392 flags SYN ACK on interface IIP-ARCHIVE-PROD

Oct 18 19:20:16 nzlsudfedsi001-pri Oct 18 2011 19:20:16 NZLSUDFEDSI001 : %ASA-6-106015: Deny TCP (no connection) from 172.24.32.31/21 to x.x.x.x/59392 flags SYN ACK on interface IIP-ARCHIVE-PROD

Oct 18 19:21:16 nzlsudfedsi001-pri Oct 18 2011 19:21:16 NZLSUDFEDSI001 : %ASA-6-106015: Deny TCP (no connection) from 172.24.32.31/21 to x.x.x.x/59392 flags RST ACK on interface IIP-ARCHIVE-PROD

Thanks again in advance.

Eugene Khabarov · ‎10-23-2011

Error Message Decoder says:

%ASA-6-106015:

Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name.

The security appliance discarded a TCP packet that has no associated connection in the security appliance's connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.

Recommended Action:

None required unless the security appliance receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.

So my question is Does this server has any other interfaces connected to it? Is this interfaces in other subnets?

Routing issue on the server is also can have a place.

---

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer."

stuart.jones · ‎10-24-2011

Hi,

Thanks for the reply, i dont think this is a routing issue, the as you can see on the trace screenshot (well hopefully) and as described a SYN-ACK does seem arrive at the ASA before the timeout would have expired.

Regards

Stu