Why ASA is dropping Syn/Ack packet from a permited connection by ACL

alexandre.joanelli · ‎09-23-2014

Hey guys

I'm experiencing some kind of weird behavior of my ASA 5520 (8.3.1)

I have a customer that needs to access an inside webserver of mine.

I've created a rule in the proper ACL permitting another range of their address to access the web server.

I can see the syn packet being permitted, acl's counter increases, and... the Syn/Ack being denied by the firewall!!!

Look the log...

6|Sep 17 2014|16:29:29|302013|172.40.36.20|3154|10.171.3.139|80|Built outbound TCP connection 1075586687 for vlan5:10.171.3.139/80 (10.171.3.139/80) to vlan155:172.40.36.20/3154 (172.40.36.20/3154)

2|Sep 17 2014|16:29:29|106001|10.171.3.139|80|172.40.36.20|3154|Inbound TCP connection denied from 10.171.3.139/80 to 172.40.36.20/3154 flags SYN ACK on interface vlan155

2|Sep 17 2014|16:29:32|106001|10.171.3.139|80|172.40.36.20|3154|Inbound TCP connection denied from 10.171.3.139/80 to 172.40.36.20/3154 flags SYN ACK on interface vlan155
2|Sep 17 2014|16:29:38|106001|10.171.3.139|80|172.40.36.20|3154|Inbound TCP connection denied from 10.171.3.139/80 to 172.40.36.20/3154 flags SYN ACK on interface vlan155

Also, we don't use NAT for those IP's

Anyone?

ramadasaid0204 · ‎09-23-2014

Hi,

Can you post the ACL as well ?

Or, may be your ASA is smelling some SYN Flood Attacks from your client and the TCP Intercept is in the business to prevent the 3-Way from completing.

Cheers

alexandre.joanelli · ‎09-23-2014

Hi

Thanks for helpping!

access-list vlan155_access_in line 4 extended permit tcp 172.40.36.0 255.255.252.0 host 10.171.3.139 eq www (hitcnt=15)

Cheers