cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
684
Views
0
Helpful
3
Replies

doubt with ASA log

Hello all,

I'm receiving this flood line like below in my log, look:

Dec  3 16:05:00 10.11.2.2 %ASA-6-106015: Deny TCP (no connection) from 172.19.2.50/54429 to 10.11.5.20/5666 flags PSH ACK  on interface inside                  

When I'm in 172.19.2.50 server, I can connect into 10.11.5.20 on tcp/5666 port.

So, Why am I receiving those messages in my log?

Thanks.

Diego

3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

Looks like at the time you are receving the log the ASA has already closed the TCP connection so he does not expect a TCP PSH packet , he needs to see the three way handshake again,

Why are they exchanging info after the connection got closed??

Do you have the teardown-connection log for that specific connection, I want to see how much time happens between the FIN packets and the PSH ACK.

So if you have them, share them

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi,

Follow the log:

Dec  4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.19/0 gaddr 172.19.4.113/53027 laddr 172.19.4.113/53027

Dec  4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/54051 laddr 172.19.4.113/54051

Dec  4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/54051 laddr 172.19.4.113/54051

Dec  4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.20/0 gaddr 172.19.4.113/54563 laddr 172.19.4.113/54563

Dec  4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.17/0 gaddr 172.19.4.113/55331 laddr 172.19.4.113/55331

Dec  4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.20/0 gaddr 172.19.4.113/54563 laddr 172.19.4.113/54563

Dec  4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.17/0 gaddr 172.19.4.113/55331 laddr 172.19.4.113/55331

Dec  4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.13/0 gaddr 172.19.4.113/58915 laddr 172.19.4.113/58915

Dec  4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.13/0 gaddr 172.19.4.113/58915 laddr 172.19.4.113/58915

Dec  4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.15/0 gaddr 172.19.4.113/48675 laddr 172.19.4.113/48675

Dec  4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.15/0 gaddr 172.19.4.113/48675 laddr 172.19.4.113/48675

Dec  4 08:55:32 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.10/0 gaddr 172.19.4.113/46883 laddr 172.19.4.113/46883

Dec  4 08:55:32 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.10/0 gaddr 172.19.4.113/46883 laddr 172.19.4.113/46883

Dec  4 08:55:33 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670306 for dmz:10.11.7.20/5666 (10.11.7.20/5666) to inside:172.19.4.113/51467 (172.19.4.113/51467)

Dec  4 08:55:33 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670306 for dmz:10.11.7.20/5666 to inside:172.19.4.113/51467 duration 0:00:00 bytes 2792 TCP FINs

Dec  4 08:55:34 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670308 for dmz:10.11.7.21/5666 (10.11.7.21/5666) to inside:172.19.4.113/43008 (172.19.4.113/43008)

Dec  4 08:55:34 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670308 for dmz:10.11.7.21/5666 to inside:172.19.4.113/43008 duration 0:00:00 bytes 2792 TCP FINs

Dec  4 08:55:37 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670312 for dmz:10.11.7.17/5666 (10.11.7.17/5666) to inside:172.19.4.113/60040 (172.19.4.113/60040)

Dec  4 08:55:37 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670313 for dmz:10.11.7.17/5666 (10.11.7.17/5666) to inside:172.19.4.113/60041 (172.19.4.113/60041)

Dec  4 08:55:37 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670313 for dmz:10.11.7.17/5666 to inside:172.19.4.113/60041 duration 0:00:00 bytes 840 TCP FINs

Dec  4 08:55:37 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670312 for dmz:10.11.7.17/5666 to inside:172.19.4.113/60040 duration 0:00:00 bytes 840 TCP Reset-O

Dec  4 08:55:37 10.11.2.2 %ASA-6-106015: Deny TCP (no connection) from 172.19.4.113/60040 to 10.11.7.17/5666 flags PSH ACK  on interface inside

Dec  4 08:55:39 10.11.2.2 %ASA-6-302016: Teardown UDP connection 1670103 for inside:172.19.4.113/55775 to identity:10.11.2.2/161 duration 0:02:01 bytes 144

Dec  4 08:55:44 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333

Dec  4 08:55:44 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333

Dec  4 08:55:45 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333

Dec  4 08:55:45 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333

Dec  4 08:55:46 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333

Dec  4 08:55:46 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333

Dec  4 08:55:46 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670322 for dmz:10.11.7.17/5666 (10.11.7.17/5666) to inside:172.19.4.113/60055 (172.19.4.113/60055)

Dec  4 08:55:46 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670322 for dmz:10.11.7.17/5666 to inside:172.19.4.113/60055 duration 0:00:00 bytes 824 TCP Reset-O

Dec  4 08:55:46 10.11.2.2 %ASA-6-106015: Deny TCP (no connection) from 172.19.4.113/60055 to 10.11.7.17/5666 flags PSH ACK  on interface inside

Dec  4 08:55:47 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333

Dec  4 08:55:47 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333

Dec  4 08:55:48 10.11.2.2 %ASA-6-302020: Built outbound ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333

Dec  4 08:55:48 10.11.2.2 %ASA-6-302021: Teardown ICMP connection for faddr 10.11.7.21/0 gaddr 172.19.4.113/23333 laddr 172.19.4.113/23333

Dec  4 08:55:51 10.11.2.2 %ASA-6-302016: Teardown UDP connection 1670115 for inside:172.19.4.113/53500 to identity:10.11.2.2/161 duration 0:02:01 bytes 152

Dec  4 08:55:56 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670335 for dmz:10.11.7.20/5666 (10.11.7.20/5666) to inside:172.19.4.113/51507 (172.19.4.113/51507)

Dec  4 08:55:56 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670335 for dmz:10.11.7.20/5666 to inside:172.19.4.113/51507 duration 0:00:00 bytes 2792 TCP FINs

Dec  4 08:55:57 10.11.2.2 %ASA-6-302013: Built outbound TCP connection 1670336 for dmz:10.11.7.17/5666 (10.11.7.17/5666) to inside:172.19.4.113/60070 (172.19.4.113/60070)

Dec  4 08:55:57 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670336 for dmz:10.11.7.17/5666 to inside:172.19.4.113/60070 duration 0:00:00 bytes 840 TCP FINs

Hello Diego,

Here is what the logs show us:

Dec  4 08:55:37 10.11.2.2 %ASA-6-302014: Teardown TCP connection 1670312 for dmz:10.11.7.17/5666 to inside:172.19.4.113/60040 duration 0:00:00 bytes 840 TCP Reset-O

Dec  4 08:55:37 10.11.2.2 %ASA-6-106015: Deny TCP (no connection) from 172.19.4.113/60040 to 10.11.7.17/5666 flags PSH ACK  on interface inside

Based on those logs I can tell you that the DMZ host is sending a Reset Packet, so the connection gets closed, afterwards the same host sends a packet but as the connection is already closed the ASA will drop the packet.

You could try a TCP state-bypass rule to make this happen but the question here is why is not the client starting a new connection...

Can you add the following command and check what happens:

service resetinbound

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: