FWSM Error - Deny TCP (no connection) from x.x.x.x/44767 to y.y.y.y/10102 flags FIN ACK on interface...

markferrara · ‎02-20-2013

Hi,

We are experiencing an issue whereby our Symantec Net Backup Devices are failing duplication over a metro-ethernet WAN link.

A few seconds before the Server event log shows an error, I am seeing a log entry on each ASDM of the FWSMs as follows:-

FWSM Error - Deny TCP (no connection) from x.x.x.x/44767 to y.y.y.y/10102 flags FIN ACK on interface outside

Could this be a tcp timeout issue?

Any help on this would be appreciated.

Thanks in advance.

Mark.

Jouni Forss · ‎02-20-2013

Hi,

This is just speculation on my part.

First of all it would seem like a situation where some host is trying on its part tear down a TCP connection. Problem is the FWSM has already removed the connection previously and therefore has no knowledge of the connection that the host is trying to terminate.

Could it be that the other host has send a TCP FIN first and the other end of the said TCP connection hasnt replied anything to this TCP FIN. At the same time the FWSM has probably applied a different "timeout" timer for this connection as the other end of the connection has already started to close it. Now when the other endpoint doesnt reply anything to the FIN the FWSM will eventually remove the connection and after sometime the host that didnt reply to the TCP FIN decides to send its TCP FIN,ACK which the FWSM doesnt regocnize as a valid connection anymore.

I'm not sure if I' correct with the above speculation or if it will help at all. But just thought I'd write it anyway.

I guess you could try to go through your firewall logs from the server and try to find if the FWSM has closed/tore down some TCP connection before with a reason referring to a timeout being reached.

I would also consider configuring a capture on the FWSM itself or somewhere on the network with a separate computer to see what exactly happens with the connections.

- Jouni