Buy or Renew
Buy or Renew
Cisco Community present at Cisco Live EMEA 2023. See you in Amsterdam! Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1726
Views
0
Helpful
2
Replies

Why ASA is dropping Syn/Ack packet from a permited connection by ACL

alexandre.joanelli
Beginner
Beginner

‎09-23-2014 12:04 PM - edited ‎03-11-2019 09:49 PM

Hey guys

 

I'm experiencing some kind of weird behavior of my ASA 5520 (8.3.1)

I have a customer that needs to access an inside webserver of mine.

I've created a rule in the proper ACL permitting another range of their address to access the web server.

I can see the syn packet being permitted, acl's counter increases, and... the Syn/Ack being denied by the firewall!!!

Look the log...


6|Sep 17 2014|16:29:29|302013|172.40.36.20|3154|10.171.3.139|80|Built outbound TCP connection 1075586687 for vlan5:10.171.3.139/80 (10.171.3.139/80) to vlan155:172.40.36.20/3154 (172.40.36.20/3154)

2|Sep 17 2014|16:29:29|106001|10.171.3.139|80|172.40.36.20|3154|Inbound TCP connection denied from 10.171.3.139/80 to 172.40.36.20/3154 flags SYN ACK  on interface vlan155

2|Sep 17 2014|16:29:32|106001|10.171.3.139|80|172.40.36.20|3154|Inbound TCP connection denied from 10.171.3.139/80 to 172.40.36.20/3154 flags SYN ACK  on interface vlan155
2|Sep 17 2014|16:29:38|106001|10.171.3.139|80|172.40.36.20|3154|Inbound TCP connection denied from 10.171.3.139/80 to 172.40.36.20/3154 flags SYN ACK  on interface vlan155
 

Also, we don't use NAT for those IP's

 

Anyone?

 

Labels:
0 Helpful
2 Replies 2

ramadasaid0204
Beginner
Beginner

‎09-23-2014 01:56 PM

Hi,

Can you post the ACL as well ?

Or, may be your ASA is smelling some SYN Flood Attacks from your client and the TCP Intercept is in the business to prevent the 3-Way from completing.

Cheers

0 Helpful

alexandre.joanelli
Beginner
Beginner
In response to ramadasaid0204

‎09-23-2014 01:56 PM

Hi

Thanks for helpping!

 access-list vlan155_access_in line 4 extended permit tcp 172.40.36.0 255.255.252.0 host 10.171.3.139 eq www (hitcnt=15)

Cheers

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents