Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3762
Views
0
Helpful
2
Replies

Deny TCP (no connection) RST ACK

aelsbernd
Level 1
Level 1

‎09-17-2015 09:01 AM - edited ‎03-11-2019 11:36 PM

ASA 5520

 

Logs are flooded with multiple Deny TCP entries on interface inside.  From internal user IPs to unknown outside public IPs: 

 

Deny TCP (no connection) from 172.26.x.x/63422 to 216.58.216.98/443 flags RST ACK on interface inside

Deny TCP (no connection) from 172.26.x.x/62898 to 104.16.27.235/80 flags RST ACK  on interface inside

Deny TCP (no connection) from 172.26.x.x/62315 to 208.111.168.7/80 flags RST ACK  on interface inside

 

 

Looking to see if these are normal or something to look into?  Let me know if there's anything else I can post

2 people had this problem
Labels:
0 Helpful
2 Replies 2

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎09-17-2015 09:49 AM

Hi,

I think these are not normal if they are showing up in large volume.

The logs says that the TCP packet was dropped with the (RST ACK) flag.

Now , the thing is we have to find out why the RST are coming in for these internal Hosts.

It can be different reasons for that(Asymmetric routing , External proxy etc) so you would have to check the captures for the complete stream thru the ASA device and see what you are able to see for the connection.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

fsebera
Level 4
Level 4

‎09-17-2015 09:54 AM

 

This may help in trying to figure out why these are being denied

216.58.216.98 is Google

104.16.27.235 is Cloud Flare Net

208.111.168.7 is Limelight Networks

 

HTH

Frank

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card