Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
660
Views
0
Helpful
2
Replies

Logging half-open conections to blocked Windows ports

b.julin
Level 3
Level 3

‎01-25-2014 06:55 PM - edited ‎03-11-2019 08:35 PM

Background:

Usually when we have a problem with a VPN user attempting to connect

to an inside service, we turn to our ASA syslogs to determine where the

connection is being prohibited (or other errors such as the user trying

to connect to the wrong machine.)  This works fine for normally configured

(UNIX) servers which send an ICMP reject message.  Recently we had to

diagnose problems connecting to an inside Windows device, and although

the VPN client had attempted to connect, no log message was produced

because the connection never got a TCP RST nor ICMP reject.

From what I can suss out from MSDN, turning off "stealth mode" on Windows

boxes to return those boxes to sane ICMP reject behavior is either not completely

supported, or at the very least misguidedly discouraged by Microsoft, and so I

might not be able to convince various Windows administrators to alter this policy.

Question:

Is there a way to get log messages bearing the IP tuples for TCP and/or UDP

incomplete connections where the ASA sees only packets destined for an inside host?

This would be for a small number (<50) of VPN remote clients, so we

are not very worried about a DDOS saturating the logs -- these packets are

not attacks just mistakes.

We would need this to happen even for single packets, and without actually

dropping traffic from the initiator, so threat-detection probably won't do the

trick here, unless it can be made to audit-only on single packets.

VPN is all this ASA device is doing, so it likely an afford the CPU for configurations

normally deemed too CPU intense.

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎01-26-2014 03:48 AM

Hi,

Wouldnt you be essentially looking for connection "Teardown" messages with reason SYN Timeout? As this should be the result if either the ASA doesnt seen the return SYN ACK or the last ACK from the connection initiator? This would usually be generated after 20-30 seconds if the connection doesnt form.

I am not really sure about the UDP. Rarely have to troubleshoot UDP connections. The very rare cases usually relate to Video/Voice and in there I usually see ICMP messages returned for a port that the destination device is not listening on. And while troubleshooting these I tend to take captures on the actual ASA.

Think the Teardown Syslog ID for TCP connections is ASA-6-302013

This is usually the first Syslog ID I look for from the server when someone reports a problem with connectivity.

By default its a Informational level log message or naturally it can be changed to something else if your logging is for example set to Notifications.

Heres the link to the Cisco document about this log message

http://www.cisco.com/en/US/docs/security/asa/syslog-guide/logmsgs.html#wp6941209

- Jouni

0 Helpful

Peter Koltl
Level 7
Level 7
In response to Jouni Forss

‎01-26-2014 11:02 PM

For live troubleshooting the following command is useful:

show conn detail long

Silent servers are marked with SAa flags.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card