12-16-2010 07:51 AM - edited 03-11-2019 12:23 PM
Hello,
We currently have an ASA running 7.2(2). We have NAT rules setup to change XXX.XXX.93.106 to 10.70.8.31 on port 636 for external LDAP connection. This rule is working without a problem for two of our external websites.
We are trying to connect to another site but I continue to receieve these messages:
6 Dec 16 2010 10:31:49 106015 75.126.254.94 xxx.xxx.93.106 Deny TCP (no connection) from 75.126.254.94/57631 to xxx.xxx.93.106/636 flags FIN ACK on interface VPN_Outside
6 Dec 16 2010 10:31:49 106015 75.126.254.94 xxx.xxx.93.106 Deny TCP (no connection) from 75.126.254.94/57631 to xxx.xxx.93.106/636 flags ACK on interface VPN_Outside
Here are the rules allowing traffic on port 636:
access-list VPN_Outside_access_in extended permit tcp object-group Wikispaces_LDAP host xxx.xxx.93.106 eq ldaps
Here are the IP addresses in Wikispaces_LDAP:
object-group network Wikispaces_LDAP
network-object host 75.126.102.45
network-object host 75.126.254.94
network-object host 208.43.219.254
network-object host 75.126.102.43
network-object host 208.43.219.251
network-object host 75.126.254.93
network-object host 75.126.102.44
network-object host 75.126.254.92
network-object host 208.43.205.127
network-object host 66.228.116.239
network-object host 208.43.219.250
Any ideas?
12-16-2010 08:18 AM
Jason,
Could you pls. get the syslog for built and teardown for the same 4-tuple?
same sourceIP dest IP and source port and dest port.
-KS
12-16-2010 10:35 AM
v6 Dec 16 2010 10:31:49 302013 75.126.254.94 10.70.8.31 Built inbound TCP connection 89414924 for VPN_Outside:75.126.254.94/57631 (75.126.254.94/57631) to Inside:10.70.8.31/636 (xxx.xxx.93.106/636)
The next two messages are the ones I already posted. There is no teardown of the connection.
12-16-2010 11:37 AM
There has to be teardown syslog - 302014. Unless you are not logging that message - do you have "no logging message 302014"?
If so pls. remove that.
I believe you are seeing those 106015 messages because those packets are arriving after the conn has been torn down.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide