service resetoutbound and high traffic

fara.rhea · ‎11-21-2012

Guys,

Need your experience here, ..

By default, service resetoutbound is enabled for all interfaces. The formal definition of resetoutbound is sends TCP resets for all outbound TCP sessions that attempt to transit the ASA and are denied by the ASA based on access lists or AAA settings. The ASA also sends resets for packets that are allowed by an access list or AAA, but do not belong to an existing connection and are denied by the stateful firewall.

Based on that definition, ASA will send back TCP reset to ip source which have traffic block by ACL or AAA (CMIIW). What happen if the source still try to reconnect (*after the source receive "TCP reset", it reset the connection, but by application it try to reconnect again)? Can it cause high traffic ?

*Based on experience i have found log in ASA which have a lot "connection re-attempt" like this :

2012-11-13 20:12:08 Local4.Info xxx.xxx.93 %ASA-6-302013: Built inbound TCP connection 7411196 for outside:xxx145.201/38733 (xxx145.201/38733) to inside:xxx.xxx.1/2000 (xxx.xxx.1/2000)

2012-11-13 20:12:08 Local4.Info xxx.xxx.93 %ASA-6-302014: Teardown TCP connection 7411196 for outside:xxx145.201/38733 to inside:xxx.xxx.1/2000 duration 0:00:00 bytes 196 FIN Timeout

2012-11-13 20:12:08 Local4.Info xxx.xxx.93 %ASA-6-106015: Deny TCP (no connection) from xxx145.201/38733 to xxx.xxx.1/2000 flags ACK on interface outside

2012-11-13 20:12:08 Local4.Info xxx.xxx.93 %ASA-6-302013: Built inbound TCP connection 7411198 for outside:xxx145.204/28317 (xxx145.204/28317) to inside:xxx.xxx.1/2000 (xxx.xxx.1/2000)

2012-11-13 20:12:08 Local4.Info xxx.xxx.93 %ASA-6-302014: Teardown TCP connection 7411198 for outside:xxx145.204/28317 to inside:xxx.xxx.1/2000 duration 0:00:00 bytes 196 FIN Timeout

2012-11-13 20:12:08 Local4.Info xxx.xxx.93 %ASA-6-106015: Deny TCP (no connection) from xxx145.204/28317 to xxx.xxx.1/2000 flags ACK on interface outside

2012-11-13 20:12:08 Local4.Info xxx.xxx.93 %ASA-6-302013: Built inbound TCP connection 7411200 for outside:xxx145.202/28526 (xxx145.202/28526) to inside:xxx.xxx.1/2000 (xxx.xxx.1/2000)

2012-11-13 20:12:08 Local4.Info xxx.xxx.93 %ASA-6-302014: Teardown TCP connection 7411200 for outside:xxx145.202/28526 to inside:xxx.xxx.1/2000 duration 0:00:00 bytes 196 FIN Timeout

2012-11-13 20:12:08 Local4.Info xxx.xxx.93 %ASA-6-106015: Deny TCP (no connection) from xxx145.202/28526 to xxx.xxx.1/2000 flags ACK on interface outside

2012-11-13 20:12:09 Local4.Info xxx.xxx.93 %ASA-6-302013: Built inbound TCP connection 7411202 for outside:xxx145.204/39240 (xxx145.204/39240) to inside:xxx.xxx.1/2000 (xxx.xxx.1/2000)

2012-11-13 20:12:09 Local4.Info xxx.xxx.93 %ASA-6-302014: Teardown TCP connection 7411202 for outside:xxx145.204/39240 to inside:xxx.xxx.1/2000 duration 0:00:00 bytes 196 FIN Timeout

Regards

Julio Carvajal · ‎11-21-2012

Hello Fara,

By default that is how the TCP protocol works, I mean after a TCP connection gets dropped they will try to inittiate it and connect but again if this connection is invalid (because of any of the Accelerated security path algorithm value) it will get dropped.

So you need to do captures in order to determine what is goin on and finally download them and analizing wireshark,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC