Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
647
Views
5
Helpful
7
Replies

Return traffic being blocked in FTD firewall

mjrosana02
Level 1
Level 1

‎01-13-2025 04:41 AM - last edited on ‎01-13-2025 05:06 AM by Cisco Employee

Hi all,

Is anyone here also experience this kind of issue on the FTD?  we notice that some return traffic being blocked on the FTD.

Thanks for the answer!!

7 Replies 7

MHM Cisco World
VIP
VIP

‎01-13-2025 04:46 AM

Did you check ""show conn"" to see if there active conn in ftd for retrun traffic 

MHM

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-13-2025 05:51 AM

What indicators are you seeing to lead to believe this is the case?

Have you confirmed the routing is symmetric (return traffic coming via the same interface via which it leaves)?

mjrosana02
Level 1
Level 1
In response to Marvin Rhoads

‎01-13-2025 05:38 PM

Hi Marvin,

mjrosana02_0-1736818342693.png

Here is the sample logs, From the existing rule the source is 172.16.x.x network and the destination is 192.168.24.40 on port 8443, there is no issue from this direction. But we are seeing these logs where 192.168.24.40 is communicating back to 172.16.x.x using port 8443 but the destination is the random ports. 

0 Helpful

Massimo Baschieri
Level 3
Level 3
In response to mjrosana02

‎01-13-2025 09:08 PM

That's return traffic which hits the firewall after the session has already been closed, that is the firewall doesn't find a xlate for those sessions, I suppose this can happen for many reasons, duplicated packets, high latency, network issues, server issues etc..

Nothing to be worried about usually

0 Helpful

ccieexpert
VIP
VIP

‎01-13-2025 04:53 PM

Please provide logs and if possible packet captures showing this behavior.

mjrosana02
Level 1
Level 1

‎01-13-2025 05:40 PM

Hello @ccieexpert ,

Good day!
Please refer to my comments above.

Thanks,

0 Helpful

ccieexpert
VIP
VIP

‎01-13-2025 07:57 PM

that doesnt help as it only shows the reverse packets that are blocked..

first question is there any issue ? or you are just checking why they are happening ?

You should get a syslog of the entire flow from start to finish as shown in the below link.

That will help to see when the CONN was built and when it was teardown.. It is possible that a conn was reset/torn down by the firewall,  and then a return packet came after that in the reverse direction, thus my question is it affecting anything..

Please get us the syslog/log for the sourde/destination flow, which allow us more insight.

 

https://www.lammle.com/post/cisco-firepower-ftd-syslog-messages-and-how-to-see-cisco-ftd-lina-events/

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card