Inbound TCP connection denied for flags FIN/PST ACK on interface outside

jpiao · ‎11-18-2003

In Pix 515 with 6.3(3), lots of alerts are captured as:

%PIX-2-106001: Inbound TCP connection denied from 209.104.39.100/80 to 209.183.x.x/64375 flags FIN ACK on interface outside

%PIX-2-106001: Inbound TCP connection denied from 203.176.60.90/80 to 209.183.x.x/64471 flags PSH ACK on interface outside

%PIX-2-106001: Inbound TCP connection denied from 203.176.60.90/80 to 209.183.x.x/64476 flags ACK on interface outside

%PIX-2-106001: Inbound TCP connection denied from 203.176.60.90/80 to 209.183.x.x/64476 flags PSH ACK on interface outside

%PIX-2-106001: Inbound TCP connection denied from 203.176.60.153/80 to 209.183.x.x/64478 flags ACK on interface outside

%PIX-2-106001: Inbound TCP connection denied from 203.176.60.153/80 to 209.183.x.x/64480 flags FIN PSH ACK on interface outside

%PIX-2-106001: Inbound TCP connection denied from 203.176.60.153/80 to 209.183.x.x/64481 flags ACK on interface outside

%PIX-2-106001: Inbound TCP connection denied from 203.176.60.153/80 to 209.183.x.x/64482 flags ACK on interface outside

I checked Cisco Output Interpreter that indicates it is related a failover, but actually there is no PIX Failover any more, and seems it is not attacks.

Any comments will be very appreciated.

nkhawaja · ‎11-18-2003

Hi

do you have multiple routes to the internet?

Thanks

Nadeem

jpiao · ‎11-19-2003

Hi Nadeem,

There is only one default route to Internet detailed as the following cfg.

And both remote sites has the same issue after upgarded to image 6.3(3), but the Hub PIX is no problem.

cam-pixfirewall# sh run

: Saved

:

PIX Version 6.3(3)

interface ethernet0 10baset

interface ethernet1 10baset

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 5xK.V8i3.A4OSqwP encrypted

passwd 5xK.V8i3.A4OSqwP encrypted

hostname cam-pixfirewall

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 100 permit ip 10.20.3.0 255.255.255.0 10.20.1.0 255.255.255.0

access-list 100 permit ip 10.20.3.0 255.255.255.0 10.20.2.0 255.255.255.0

access-list 100 permit ip 10.20.3.0 255.255.255.0 10.20.6.0 255.255.255.0

access-list 100 permit ip 10.20.3.0 255.255.255.0 10.20.10.0 255.255.255.0

access-list 100 permit ip 10.20.3.0 255.255.255.0 10.20.11.0 255.255.255.0

access-list 100 permit ip 10.20.3.0 255.255.255.0 10.20.12.0 255.255.255.0

access-list 100 permit ip 10.20.3.0 255.255.255.0 10.100.0.0 255.255.0.0

access-list 100 permit ip 10.20.3.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list 100 permit ip 10.20.3.0 255.255.255.0 host 205.184.244.56

access-list 100 permit ip 10.20.3.0 255.255.255.0 host 205.184.244.33

access-list 100 permit ip 10.20.3.0 255.255.255.0 10.20.4.0 255.255.255.0

access-list 110 permit ip 10.20.3.0 255.255.255.0 10.20.1.0 255.255.255.0

access-list 110 permit ip 10.20.3.0 255.255.255.0 10.20.6.0 255.255.255.0

access-list 110 permit ip 10.20.3.0 255.255.255.0 10.20.10.0 255.255.255.0

access-list 110 permit ip 10.20.3.0 255.255.255.0 10.20.11.0 255.255.255.0

access-list 110 permit ip 10.20.3.0 255.255.255.0 10.20.12.0 255.255.255.0

access-list 110 permit ip 10.20.3.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list 110 permit ip 10.20.3.0 255.255.255.0 10.100.0.0 255.255.0.0

access-list 110 permit ip 10.20.3.0 255.255.255.0 host 205.184.244.56

access-list 110 permit ip 10.20.3.0 255.255.255.0 host 205.184.244.33

access-list 120 permit ip 10.20.3.0 255.255.255.0 10.20.2.0 255.255.255.0

access-list vpnnonat permit ip 10.20.4.0 255.255.255.0 10.20.3.0 255.255.255.0

access-list vpnnonat permit ip 10.20.3.0 255.255.255.0 10.20.4.0 255.255.255.0

pager lines 44

logging on

logging timestamp

logging buffered critical

logging trap notifications

logging history notifications

no logging message 106014

no logging message 106013

no logging message 106011

no logging message 304001

mtu outside 1500

mtu inside 1500

ip address outside 209.183.x.a 255.255.255.252

ip address inside 10.20.3.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm reset

ip local pool ipsecclients 10.20.4.2-10.20.4.100

no pdm history enable

arp timeout 14400

global (outside) 1 209.183.x.b

nat (inside) 0 access-list 100

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 209.183.x.c 1

timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

ntp server 128.100.100.128 source outside

ntp server 192.43.244.18 source outside

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

crypto ipsec transform-set delta esp-des esp-md5-hmac

crypto dynamic-map users 40 set transform-set delta

crypto map deltamap 10 ipsec-isakmp

crypto map deltamap 10 match address 110

crypto map deltamap 10 set peer 209.183.x.x

crypto map deltamap 10 set transform-set delta

crypto map deltamap 20 ipsec-isakmp

crypto map deltamap 20 match address 120

crypto map deltamap 20 set peer 209.183.x.x

crypto map deltamap 20 set transform-set delta

crypto map deltamap 40 ipsec-isakmp dynamic users

crypto map deltamap client configuration address initiate

crypto map deltamap client configuration address respond

crypto map deltamap interface outside

isakmp enable outside

isakmp key ******** address 209.183.x.x netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp client configuration address-pool local ipsecclients outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 1000

vpngroup vpnusers address-pool ipsecclients

vpngroup vpnusers dns-server 10.20.3.7

vpngroup vpnusers wins-server 10.20.3.7

vpngroup vpnusers default-domain abc.ca

vpngroup vpnusers idle-time 1800

vpngroup vpnusers password ********

telnet timeout 5

ssh timeout 15

console timeout 0

terminal width 80

Cryptochecksum:00000000000000000000000000000000

: end

cam-pixfirewall# sh ver

Cisco PIX Firewall Version 6.3(3)

Compiled on Wed 13-Aug-03 13:55 by morlee

cam-pixfirewall up 15 days 20 hours

Hardware: PIX-506, 32 MB RAM, CPU Pentium 200 MHz

Flash i28F640J5 @ 0x300, 8MB

BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0004.2746.369a, irq 11

1: ethernet1: address is 0004.2746.369b, irq 10

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES-AES: Disabled

Maximum Physical Interfaces: 2

Maximum Interfaces: 2

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Limited

IKE peers: Unlimited

This PIX has a Restricted (R) license.

Serial Number: 480490238 (0x1ca3b2fe)

Running Activation Key: 0x084d5388 0xb2cd013b 0x9990061e 0x69c3b54c

Configuration last modified by enable_15 at 09:45:50.496 EST Wed Nov 19 2003

cam-pixfirewall#

106001: Inbound TCP connection denied from 194.109.6.92/80 to 209.183.130.73/26819 flags ACK on interface outside

106001: Inbound TCP connection denied from 62.221.192.66/80 to 209.183.130.73/26822 flags ACK on interface outside

106001: Inbound TCP connection denied from 62.221.192.66/80 to 209.183.130.73/26822 flags PSH ACK on interface outside

106001: Inbound TCP connection denied from 212.104.129.40/80 to 209.183.130.73/26827 flags ACK on interface outside

106001: Inbound TCP connection denied from 212.104.129.40/80 to 209.183.130.73/26827 flags PSH ACK on interface outside

106001: Inbound TCP connection denied from 216.19.67.187/80 to 209.183.130.73/26839 flags ACK on interface outside

106001: Inbound TCP connection denied from 216.19.67.187/80 to 209.183.130.73/26839 flags PSH ACK on interface outside

106001: Inbound TCP connection denied from 216.19.67.187/80 to 209.183.130.73/26840 flags ACK on interface outside

106001: Inbound TCP connection denied from 216.19.67.187/80 to 209.183.130.73/26840 flags PSH ACK on interface outside

106001: Inbound TCP connection denied from 216.19.67.187/80 to 209.183.130.73/26844 flags ACK on interface outside

What do you think?

Thanks

ehirsel · ‎04-26-2004

In your toplogy, do the remote sites connect to the hub/central site for external access?

Is there a proxy server that your clients connect to for external access?

Can you run a two capture traces of a connection to 216.19.67.187 from a site that has this issue? Run one on an inside interface and run the other on the outside interface. I am interested if the tcp connection close that the client generates is propogated to the remote server, if it is then I would see a normal tcp close on both captures.

Let me know if you need help in setting up the capture.

cdoyle · ‎04-24-2004

Jack,

Did you ever get a resolution to this ? I believe I'm experiencing the same issue since upgrading from 6.2(2) to 6.3(3).

My posting on Apr 24, 2004 is called "After upgrade from 6.2(2) to 6.3(3) we see more denys". If you could take a look I'd really appreciate it.

Thanks,

Craig.