Some of my users were complaining their software was not working correct. It retrieves file from a remote host and then constructs a model from these files. Retrieving and constructing behind our ASA5510 resulted in a corrupt model while the same actions at home (where they don't have a ASA) always works. I tracked down (at least i think i did) the problem to these messages from the syslog: Nov 21 18:31:02 vpn : Nov 21 18:31:02 CEST: %ASA-session-6-302013: Built outbound TCP connection 10627309 for outside:184.108.40.206/443 (220.127.116.11/443) to inside:10.0.4.51/50978 (10.0.4.51/50978) Nov 21 18:31:12 vpn : Nov 21 18:31:12 CEST: %ASA-session-6-302014: Teardown TCP connection 10627309 for outside:18.104.22.168/443 to inside:10.0.4.51/50978 duration 0:00:09 bytes 722969 TCP Reset-I Nov 21 18:31:12 vpn : Nov 21 18:31:12 CEST: %ASA-session-6-106015: Deny TCP (no connection) from 22.214.171.124/443 to 10.0.4.51/50978 flags FIN ACK on interface outside Nov 21 18:31:12 vpn : Nov 21 18:31:12 CEST: %ASA-session-6-106015: Deny TCP (no connection) from 126.96.36.199/443 to 10.0.4.51/50978 flags ACK on interface outside Nov 21 18:31:38 vpn : Nov 21 18:31:38 CEST: %ASA-session-6-302013: Built outbound TCP connection 10627324 for outside:188.8.131.52/443 (184.108.40.206/443) to inside:10.0.4.51/50979 (10.0.4.51/50979) Nov 21 18:31:43 vpn : Nov 21 18:31:43 CEST: %ASA-session-6-302014: Teardown TCP connection 10627324 for outside:220.127.116.11/443 to inside:10.0.4.51/50979 duration 0:00:05 bytes 418328 TCP FINs I think the connection is not nicely closed and the remote host is not sending all files or the cliënt is not retrieving all the files correctly. After searching a lot i added sysopt connection timedwait , but this does not seem to change anything, i suspected 106028 Deny TCP (Connection marked for deletion) messages, but can't find them in the syslog. My configuration is pretty straightforward with a wireless AP > ASA5510 > Cisco871 > internet so there is no asynchronous routing on our side. Cisco Adaptive Security Appliance Software Version 8.4(2) Device Manager Version 6.4(5) Can someone help me resolving these Deny TCP messages? Or is the only solution to disable statefull inspection for certain hosts, which is not my preferred solution?
... View more