Problem with ASA 5510 and Sys Event 106001

keith.brown · ‎02-09-2011

Hello

I am having a problem with some users not being able to get to the internet. From the firewall logs, I can see that the connection goes out, but the connection from the website back in is being blocked. I have checked the Security Rules and they look fine. I also don't see anything wrong with the ACL.

Any ideas?

Log entries:

6|Feb 09 2011|04:32:50|302014|88.221.94.74|80|10.10.22.163|3398|Teardown TCP connection 129639 for outside:88.221.94.74/80 to inside:10.10.22.163/3398 duration 0:00:09 bytes 0 TCP Reset-I

6|Feb 09 2011|04:32:50|305012|10.10.22.163|3397|63.250.139.46|47413|Teardown dynamic TCP translation from inside:10.10.22.163/3397 to outside:63.250.139.46/47413 duration 0:00:30

2|Feb 09 2011|04:32:44|106001|88.221.94.74|80|10.10.22.163|3398|Inbound TCP connection denied from 88.221.94.74/80 to 10.10.22.163/3398 flags SYN ACK on interface inside

Thanks

Keith

Federico Coto Fajardo · ‎02-09-2011

Keith,

Those tear down messages could be normal TCP behavior or could indicate a problem, but in order to know what's going on we need a few things:

1. Are the internal users able to reach the internet (not only web traffic, are they able to PING for example)?

2. Do you have HTTP inspection enabled that might be causing the problem?

You can also share the output of show run so we can help you out to check the configuration.

Federico.

keith.brown · ‎02-09-2011

1. This is limited to a branch office who is routing over our MPLS. A traceroute does make it to the ASA which is routing to the internet.

2. We are using Websense as a URL Filter, however, this hasn't caused any issues before. We have been using this for years.

I have attached the configuration with the IP addresses changed.

Any input would be appreciated.

Federico Coto Fajardo · ‎02-09-2011

Keith,

According to the log errors that you posted 10.10.22.163 should be on the inside of the ASA.

However looking at the configuration the ASA has no route to that address via the inside.

What is the IP of the computer trying to get to the Internet?

Federico.

keith.brown · ‎02-10-2011

Hi Federico

I replied via a private message.

I found another weird error today in the access logs.

When I try to click on the Access Rule for the failure, I get this (attached) which is the event id that I am clicking on

Thanks!

Federico Coto Fajardo · ‎02-10-2011

Keith,

In order to check what's exactly happening to that flow you can post a capture.

access-list capin permit ip host x.x.x.x host y.y.y.y

access-list capin permit ip host y.y.y.y host x.x.x.x

capture capin access-list capin interface inside

access-list capout permit ip host z.z.z.z host y.y.y.y

access-list capout permit ip host y.y.y.y host z.z.z.z

capture capout access-list capout interface outside

Then use

https://IP_ADDRESS_ASA/capture/capin/pcap

https://IP_ADDRESS_ASA/capture/capout/pcap

to export the captures in pcap format and read them in wireshark (you can post to me these files in a private message).

x.x.x.x --> Real IP of the internal host trying to browse

y.y.y.y --> IP of the web server

z.z.z.z --> NATed IP of the real host

Federico.