Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
430
Views
0
Helpful
3
Replies

Why is Layer-2-adjacent traffic from admin-PC to ASA logged as "Deny"?

Corey Koellein
Level 1
Level 1

‎05-14-2022 09:48 PM

ASA 5506-X Very basic initial config.

Purpose is to firewall my server lab from my HOME-NET and the Internet.

 

ASA is on my HOME-NET 192.168.82.0.

PC is 192.168.82.99.

ASA HOME-NET (outside) interface is 192.168.82.100.

 

I am able to ASDM to the ASA on 192.168.82.100.

 

I bring up logging monitor.

 

I am seeing Deny messages generated by my ASDM session from my PC 192.168.82.99 to the ASA 192.168.82.100... even though they are in the same Layer-2 together, so the traffic is getting to the ASA just fine... I see my configuration changes happening successfully via the console session (show run). Why are the Deny messages there? 

 

(6 May 15 2022 04:11:46 106015 192.168.82.99 1041 192.168.82.100 443 Deny TCP (no connection) from 192.168.82.99/1041 to 192.168.82.100/443 flags FIN ACK on interface HOME-NET)

 

How do I properly configure to get rid of them? There is no session (no connection) established, it says... I get that... but I tried creating a rule on the HOME-NET interface that explicitly allows .99 to talk to .100 via 443... wouldn't it then establish a sesh that could be "tracked" as an established session? How do I establish that connection to avoid this Deny from being triggered. I assume it is benign and can be ignored, but I'm trying to understand what/why its happening and if I can "properly" avoid it.

Preview file
253 KB
Preview file
157 KB
Preview file
201 KB
0 Helpful
3 Replies 3

Sheraz.Salim
VIP
VIP

‎05-15-2022 02:29 AM

Interface HOME-NET has security-level 0 with IP address 192.168.82.100 and your PC is connected to this subnet with IP address 192.168.82.99. you have enable the https on HOME-NET to get acess the ASDM. your access-rule defined in the shown figure is to let the 192.168.82.99 to connect 192.168.82.100 port https(443)

 

looking into your logs106015 and 302014.  the 302014 log entry is TCP Rset-O (Means that the HOME-NET host send a reset).The 106015 Deny TCP (no connection) FIN ACK on Interface HOME-NET.

 

so PC sent TCP Rest and ASA Acknowledge it and Finish the session.

 

 

you can set up the capture on HOME-NET interface to get more detail and download it on wireshark

capture HOME-NET interface HOME-NET match ip host 192.168.82.99 host 192.168.82.100
please do not forget to rate.
0 Helpful

MHM Cisco World
VIP
VIP

‎05-15-2022 04:32 AM

http server enable

http x.x.x.x y.y.y.y outside <- are you config this ??

0 Helpful

Marius Gunnerud
VIP
VIP

‎05-15-2022 01:56 PM

The ACL that you refer to in the screenshot is to allow THROUGH THE BOX traffic and not TO THE BOX traffic, so this will not have any effect on your ASDM connection.

The "no connection" log message usually indicates that there is asynchronous routing happening, but since the PC and ASA are on the same subnet it is a little strange that this is showing up.  I don't suppose you have NAT configured for this connection as well?

Could you provide a complete running configuration of the ASA (remember to remove any public IPs and change or remove usernames and passwords)

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card