Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
21654
Views
20
Helpful
5
Replies

Deny TCP (no connection) - PSH ACK

bluesea2010
Level 5
Level 5

‎01-15-2017 01:06 AM - edited ‎03-12-2019 01:46 AM

Hi,

I am getting the following on my asa firewall

1 ) Jan 15 2017 10:17:19 106015 10.0.1.34 63547 1.1.1.1 80 Deny TCP (no connection) from 10.0.10.34/63547 to 1.1.1.1/80 flags PSH ACK on interface Inside

2 )

6 Jan 15 2017 10:17:19 106015 10.0.1.34 63547 1.1.1.1 80 Deny TCP (no connection) from 10.0.10.34/63547 to 1.1.1.1/80 flags PSH ACK on interface Inside


ACK on interface Outside


Why this happens

Thanks

Labels:
0 Helpful
5 Replies 5

saif musa
Level 4
Level 4

‎01-15-2017 02:20 AM

Hi,

You are logging access attempts that are being denied per your configuration on the ASA. denying unauthorized access attempts. 

Regards

0 Helpful

bluesea2010
Level 5
Level 5
In response to saif musa

‎01-15-2017 02:39 AM

Hi,

you mean denied by acl 

0 Helpful

saif musa
Level 4
Level 4
In response to bluesea2010

‎01-15-2017 09:53 PM

Hi,

Now I made a mistake, I'm sorry. As Mohammed said above, The ASA discarded a TCP packet that has no associated connection in connection table. your device looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the device discards the packet.

Now we need mohammed to tell us if there is a recommended action for this, for me, I would check if the device receives a large volume of these invalid TCP packets. In this case, I will trace the packets to the source and determine the reason these packets were sent.

My first answer was wrong so just discard it please.

Thanks

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to saif musa

‎01-16-2017 02:29 AM

You picked it right. You need to traceback to the source and find the reason for sending these packets.

Most of the time I have seen this happening because of the way applications coded to response to RST flags. But definitely worth at looking full TCP session.

If you are sending logs from ASA to SIEM device then you can traceback the entire session. Else, you can configure ASA to capture packets between two hosts and look at the capture later using CLI or wireshark

0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎01-15-2017 07:01 AM

Hi,

Since ASA is statefull firewall, it will allow TCP connections which were correctly established. Now, TCP establish connections using 3-way TCP handshake (SYN , SYN-ACK , ACK).

This log is poping because ASA didn't have TCP connection between these hosts on mentioned ports (SYN/SYN-ACK/ACK) and you can't send PSH-ACK without completing the original TCP handshake.

Now some applications send RST message. ASA will read this message and accordingly terminate the connection. Now the other side of the application will read the RST message and instead of sending ACK, it will send PSH-ACK. ASA will  drop this packet because it terminated the connection based on previous RST. This is very common reason for this message

Hope its clear now.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card