Weird Firewall ACL Log Entry

Eric Snijders · ‎02-11-2019

Hi all,

I'm seeing weird log entries on my firewall. Like this:

2019-02-11 09:22:55	Local6.Notice	192.168.10.10	Feb 11 2019 09:23:03: %ASA-5-106100: access-list VLAN100_access_in permitted tcp VLAN100/172.24.2.163(8021) -> VLAN200/172.24.0.163(51804) hit-cnt 1 first hit [0xa31bbc5d, 0x00000000]

The weird thing is: it looks like it's a reply (since the destination port is a random one). Does anyone have a idea why i'm seeing this traffic in this log rule?

Could this mean that for some reason the host at 172.24.2.163 dropped his former connection and setup a new TCP connection to the host at 172.24.0.163?

socratesp1980 · ‎02-11-2019

It could be a number of things. It does not nesessarily mean that it is reply packet. If this was the first packet of the tcp session and if your vlan 100 ip is a indeed a server and the vlan200 is your clients vlan I could asuumed that your server is doing some form of keep-alive/hello messages the previously contaced clients. You need to dig a little more with the operation of your clients/server operation. Wireshark might come in handy

Eric Snijders · ‎02-11-2019

Hi socratesp1980,

Thanks for the information! Doing a packet capture is no problem, but i'm wondering how i should perform the packet capture. In this case, the VLAN100 IP is indeed the server, and VLAN200 is the client.

If i would just capture all in and outbound traffic from the server in VLAN100, how would i distinguish this exact traffic? Should i try a capture with the source port in this case? Cause the tcp/8021 is indeed the right traffic.