Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
416
Views
0
Helpful
5
Replies

Inbound ACK's of normal traffic denied - 6.3(3)

BertK88
Level 1
Level 1

‎04-29-2004 02:53 AM - edited ‎03-09-2019 07:13 AM

Hello list,

There are more people reporting this problem, but this is my situation:

Clients - PIX (PAT) - Cisco SDSL router - Internet

Inbound TCP connection denied from 80.79.193.22/80 to pix/32686 flags PSH ACK

Inbound TCP connection denied from 80.79.193.242/80 to pix/32752 flags ACK

Inbound TCP connection denied from 80.79.193.242/80 to pix/32752 flags PSH ACK

Inbound TCP connection denied from 80.79.193.242/80 to pix/32752 flags FIN PSH ACK

Inbound TCP connection denied from 195.141.86.81/80 to pix/32772 flags PSH ACK

Inbound TCP connection denied from 198.133.219.25/80 to pix/32776 flags ACK

Inbound TCP connection denied from 198.133.219.25/80 to pix/32776 flags ACK

Inbound TCP connection denied from 62.69.162.6/80 to pix/32894 flags ACK

Inbound TCP connection denied from 62.69.162.6/80 to pix/32894 flags ACK

Inbound TCP connection denied from 62.69.162.6/80 to pix/32894 flags ACK

Any suggestions?

Thanks,

Bert Koelewijn

Labels:
0 Helpful
5 Replies 5

mostiguy
Level 6
Level 6

‎04-29-2004 03:27 AM

i would use the capture command on the outside interface to try to look at the packets - maybe the packets are duplicates, and that is why the pix is not letting them through.

0 Helpful

scoclayton
Level 7
Level 7

‎04-29-2004 05:15 AM

The packets will be denied if the connection has been torn down. Go back through your syslogs and look for the message where the conn was created between the 2 hosts in question. Then search a little farther down in the logs and find where the conn was torn down. It will list a reason for termination. My guess is that you will see a conn tear down message above each of the denials like you listed above. Let me know if I can help. If you want to send me a full syslog dump (taken at debug level) with some denies in them, I will send you back a summary of what I see (sclayton@cisco.com).

Scott

0 Helpful

ehirsel
Level 6
Level 6

‎04-29-2004 07:47 AM

The most likely cause is asymetric routing, either at your end or the other one. Are the deny messages coming from a partner network, or just general internet sites?

Do you have routers at your site other than the SDSL router that you've shown?

0 Helpful

ehirsel
Level 6
Level 6
In response to ehirsel

‎04-30-2004 07:21 AM

Below is some info from another question on this forum. It allues to what level messages are being logged. Are you monitoring at level 6? However normally after a teardown there should be no more packets arriving, but there is a sysopt command that will let the pix monitor for quick teardowns. Look at the pix 6.3 doc for some more info about quick close connections.

************************************************

The cause of these Deny messages appearing right after the upgrade from 6.2(2) to 6.3(3) has been found.

In short, the message level of this particular deny message was promoted from 4 to 6 with 6.3(3). Our config was set to monitor level 6 so all of a sudden we were seeing these messages. Cisco TAC is in the process of documenting this in the support site, however, a more detailed explanation provided by TAC follows:

Before 6.3.3, when a connection was torn down, and any continuation packets after the connection is torn down, (for this same connection session) you would receive these messages

Teardown TCP connection 77654 for outside:63.211.153.89/80 to inside:64.0.182.228/1322 duration 0:00:01 bytes 711

106015: Deny TCP (no connection) from 63.211.153.89/80 to 64.0.182.228/1322 flags ACK on interface outside

With 6.3.3 when a connection is torn down and any continuation packets after the connection is torn down you will see these messages

Teardown TCP connection 77654 for outside:63.211.153.111/80 to inside:64.0.182.226/10351 duration 0:00:01 bytes 711

106023: Deny tcp src outside:63.211.153.111/80 dst inside:64.0.182.226/10351 by access-group "outside"

Therefore, if you have level 6 logging turned on, (with 6.3.3) before you see this message 106023: Deny tcp src outside:63.211.153.111/80 dst inside:64.0.182.226/10351

by access-group "outside"

You should also have a message that states that this connection is torn down. The reason the customer probably did not notice these messages before 6.3.3 is because 106015: Deny TCP (no connection) message is a level 6 message. While 106023: Deny tcp src outside:63.211.153.111/80 is a level 4 message.

0 Helpful

BertK88
Level 1
Level 1
In response to ehirsel

‎04-30-2004 11:31 PM

Thanks for your replies.

A more detailed picture:

clients (192.168.0.0/24)

|

gateway (192.168.0.254) - Cisco router - WAN

|

pix (192.168.0.252) - Cisco SDSL router - Internet

The following logs are from internet sites, not a parter network.

Built outbound TCP connection 42602 for outside:193.67.79.226/80 (193.67.79.226/80) to inside:internalhost/1877 (pixfirewall/38223)

Teardown TCP connection 42602 for outside:193.67.79.226/80 to inside:internalhost/1877 duration 0:00:11 bytes 827688 TCP Reset-I

Deny TCP (no connection) from internalhost/1877 to 193.67.79.226/80 flags RST on interface inside

Inbound TCP connection denied from 193.67.79.226/80 to pixfirewall/38223 flags ACK on interface outside

Why are the connections being reset?

0 Helpful
Customers Also Viewed These Support Documents