09-16-2013 02:01 PM - edited 03-11-2019 07:39 PM
Hi,
I experience that several TCP-connections through my ASA 5520 closes caused by inspection in the ASA. In the logs I find entries like "Flow closed by inspection", but how can I find WHICH inspection-rule that closes the connections? Many of the connections that are closed uses portnumbers that do not have an inspection-rule.
I am running version 9.1(2).
Best regards,
Thor-Egil
Solved! Go to Solution.
09-16-2013 03:35 PM
Hello,
Okey,
As on the previous post :
Have you disabled the ICMP inspection and test?
Due to
ICMP inspection closes TCP conns with "Flow closed by inspection"
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-16-2013 02:15 PM
Hello ,
If you do show service-policy you will see the amount of drops per inspection engine.
Can you provide us an example of what you are referring to as unused ports?
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-16-2013 02:40 PM
Hi,
I have a lot of drops on connections using port tcp/3389 (remote desktop), and I cannot see which inspection-rule that closes these connections?
Here is output from show service-policy:
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns _default_dns_map, packet 54168677, drop 448216, reset-drop 0, v6-fail-close 0
Inspect: ftp, packet 84923, drop 110, reset-drop 0, v6-fail-close 0
Inspect: ctiqbe, packet 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: dcerpc, packet 429732, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 h225 _default_h323_map, packet 1036, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: http, packet 1974971854, drop 0, reset-drop 0, v6-fail-close 0
Inspect: ils, packet 29699552, drop 0, reset-drop 0, v6-fail-close 0
Inspect: ipsec-pass-thru _default_ipsec_passthru_map, packet 1078, drop 0, reset-drop 0, v6-fail-close 0
Inspect: mgcp, packet 1, drop 0, reset-drop 0, v6-fail-close 0
Inspect: netbios, packet 41451, drop 0, reset-drop 0, v6-fail-close 0
Inspect: pptp, packet 10101, drop 0, reset-drop 0, v6-fail-close 0
Inspect: rsh, packet 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: rtsp, packet 162941, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sip , packet 2693, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: skinny , packet 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: snmp, packet 16950, drop 0, reset-drop 0, v6-fail-close 0
Inspect: sqlnet, packet 10, drop 0, reset-drop 0, v6-fail-close 0
Inspect: sunrpc, packet 19, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: tftp, packet 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: icmp, packet 545248, drop 6039, reset-drop 0, v6-fail-close 0
Inspect: icmp error, packet 10989, drop 122, reset-drop 0, v6-fail-close 0
Class-map: global-class
IPS: card status Up, mode inline fail-open
packet input 5261295006, packet output 5261310875, drop 2785, reset-drop 14
09-16-2013 03:35 PM
Hello,
Okey,
As on the previous post :
Have you disabled the ICMP inspection and test?
Due to
ICMP inspection closes TCP conns with "Flow closed by inspection"
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-16-2013 10:46 PM
Hi and thanks for your answer,
I have now disabled the icmp-inspection and will test if this solves the problem. I also see that Cisco has released an interim-version 9.1.2(8) that has some inspection-fixes, I will try this version.
Cheers,
Thor-Egil
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide