12-03-2012 10:14 AM - edited 03-11-2019 05:31 PM
Hello all,
I'm receiving this flood line like below in my log, look:
Dec 3 16:05:00 10.11.2.2 %ASA-6-106015: Deny TCP (no connection) from 172.19.2.50/54429 to 10.11.5.20/5666 flags PSH ACK on interface inside
When I'm in 172.19.2.50 server, I can connect into 10.11.5.20 on tcp/5666 port.
So, Why am I receiving those messages in my log?
Thanks.
Diego
12-03-2012 12:39 PM
Hello,
Looks like at the time you are receving the log the ASA has already closed the TCP connection so he does not expect a TCP PSH packet , he needs to see the three way handshake again,
Why are they exchanging info after the connection got closed??
Do you have the teardown-connection log for that specific connection, I want to see how much time happens between the FIN packets and the PSH ACK.
So if you have them, share them
Regards,
12-04-2012 03:01 AM
Hi,
Follow the log:
Dec 4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.19/0 gaddr 172.19.4.113/53027 laddr 172.19.4.113/53027
Dec 4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/54051 laddr 172.19.4.113/54051
Dec 4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/54051 laddr 172.19.4.113/54051
Dec 4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.20/0 gaddr 172.19.4.113/54563 laddr 172.19.4.113/54563
Dec 4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.17/0 gaddr 172.19.4.113/55331 laddr 172.19.4.113/55331
Dec 4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.20/0 gaddr 172.19.4.113/54563 laddr 172.19.4.113/54563
Dec 4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.17/0 gaddr 172.19.4.113/55331 laddr 172.19.4.113/55331
Dec 4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.13/0 gaddr 172.19.4.113/58915 laddr 172.19.4.113/58915
Dec 4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.13/0 gaddr 172.19.4.113/58915 laddr 172.19.4.113/58915
Dec 4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.15/0 gaddr 172.19.4.113/48675 laddr 172.19.4.113/48675
Dec 4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.15/0 gaddr 172.19.4.113/48675 laddr 172.19.4.113/48675
Dec 4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.10/0 gaddr 172.19.4.113/46883 laddr 172.19.4.113/46883
Dec 4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.10/0 gaddr 172.19.4.113/46883 laddr 172.19.4.113/46883
Dec 4 08:55:33 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670306 for dmz:10.11.7.20/5666 (10.11.7.20/5666) to inside:172.19.4.113/51467 (172.19.4.113/51467)
Dec 4 08:55:33 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670306 for dmz:10.11.7.20/5666 to inside:172.19.4.113/51467 duration 0:00:00 bytes 2792 TCP FINs
Dec 4 08:55:34 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670308 for dmz:10.11.7.21/5666 (10.11.7.21/5666) to inside:172.19.4.113/43008 (172.19.4.113/43008)
Dec 4 08:55:34 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670308 for dmz:10.11.7.21/5666 to inside:172.19.4.113/43008 duration 0:00:00 bytes 2792 TCP FINs
Dec 4 08:55:37 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670312 for dmz:10.11.7.17/5666 (10.11.7.17/5666) to inside:172.19.4.113/60040 (172.19.4.113/60040)
Dec 4 08:55:37 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670313 for dmz:10.11.7.17/5666 (10.11.7.17/5666) to inside:172.19.4.113/60041 (172.19.4.113/60041)
Dec 4 08:55:37 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670313 for dmz:10.11.7.17/5666 to inside:172.19.4.113/60041 duration 0:00:00 bytes 840 TCP FINs
Dec 4 08:55:37 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670312 for dmz:10.11.7.17/5666 to inside:172.19.4.113/60040 duration 0:00:00 bytes 840 TCP Reset-O
Dec 4 08:55:37 10.11.2.2 %ASA-6-106015: Deny TCP (no connection) from 172.19.4.113/60040 to 10.11.7.17/5666 flags PSH ACK on interface inside
Dec 4 08:55:39 10.11.2.2 %ASA-6-302016: Teardown UDP connection 1670103 for inside:172.19.4.113/55775 to identity:10.11.2.2/161 duration 0:02:01 bytes 144
Dec 4 08:55:44 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333
Dec 4 08:55:44 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333
Dec 4 08:55:45 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333
Dec 4 08:55:45 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333
Dec 4 08:55:46 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333
Dec 4 08:55:46 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333
Dec 4 08:55:46 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670322 for dmz:10.11.7.17/5666 (10.11.7.17/5666) to inside:172.19.4.113/60055 (172.19.4.113/60055)
Dec 4 08:55:46 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670322 for dmz:10.11.7.17/5666 to inside:172.19.4.113/60055 duration 0:00:00 bytes 824 TCP Reset-O
Dec 4 08:55:46 10.11.2.2 %ASA-6-106015: Deny TCP (no connection) from 172.19.4.113/60055 to 10.11.7.17/5666 flags PSH ACK on interface inside
Dec 4 08:55:47 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333
Dec 4 08:55:47 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333
Dec 4 08:55:48 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333
Dec 4 08:55:48 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333
Dec 4 08:55:51 10.11.2.2 %ASA-6-302016: Teardown UDP connection 1670115 for inside:172.19.4.113/53500 to identity:10.11.2.2/161 duration 0:02:01 bytes 152
Dec 4 08:55:56 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670335 for dmz:10.11.7.20/5666 (10.11.7.20/5666) to inside:172.19.4.113/51507 (172.19.4.113/51507)
Dec 4 08:55:56 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670335 for dmz:10.11.7.20/5666 to inside:172.19.4.113/51507 duration 0:00:00 bytes 2792 TCP FINs
Dec 4 08:55:57 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670336 for dmz:10.11.7.17/5666 (10.11.7.17/5666) to inside:172.19.4.113/60070 (172.19.4.113/60070)
Dec 4 08:55:57 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670336 for dmz:10.11.7.17/5666 to inside:172.19.4.113/60070 duration 0:00:00 bytes 840 TCP FINs
12-04-2012 09:33 AM
Hello Diego,
Here is what the logs show us:
Dec 4 08:55:37 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670312 for dmz:10.11.7.17/5666 to inside:172.19.4.113/60040 duration 0:00:00 bytes 840 TCP Reset-O
Dec 4 08:55:37 10.11.2.2 %ASA-6-106015: Deny TCP (no connection) from 172.19.4.113/60040 to 10.11.7.17/5666 flags PSH ACK on interface inside
Based on those logs I can tell you that the DMZ host is sending a Reset Packet, so the connection gets closed, afterwards the same host sends a packet but as the connection is already closed the ASA will drop the packet.
You could try a TCP state-bypass rule to make this happen but the question here is why is not the client starting a new connection...
Can you add the following command and check what happens:
service resetinbound
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: