ASA 5585 Flow Closed by inspection - running 8.4(6)

karthik.gopalakrishnan · ‎08-22-2013

Hi,

We have a pair of ASA 5585-X in HA, running 8.4(6). Off late there have been a lot of concerns with file transfers getting terminated randomly with the log below:

%ASA-6-302014: Teardown TCP connection 103431437 for outside:x.x.x.x/1025 to inside:y.y.y.y/50022 duration 1:19:34 bytes 395734649 Flow closed by inspection

This is perfectly reproducible and is NOT related to the similar bug: CSCtg17779 as we notice that the session is being killed abruptly, and not a regular FIN/ACK etc.

When we tried from another pair of ASA 5525-X running 9.0 code, we could not reproduce the issue. Has anyone else seen this behaviour before? On the TCP packet captures on my firewall, I clearly see a RST packet form the remote IP to my local IP, however when I saw the captures from the remote FW, there is no packet showing a RST being sent from their IP.

Any thoguhts/suggestions/comments would be appreciated...

Thanks!

karthik.gopalakrishnan · ‎08-22-2013

FYI.. I have tried sysopt onn tcpmsss1300 and sysopt conn preserve-vpn-flows per TAC - but still the same state...

r.mikes · ‎11-05-2013

Hi,

did you get any furter with the issue. I saw similar behaviour in pair of ASA 5550, 8.4(7) few weeks ago . TCP connections were incidentialy dropped with Teardown "Flow closed by inspection" message. It were not just wrong logging issue. The real traffic was affected.

Once I downgraded to an earlier release it disapeared. The 8.4(7) have been running with on other ASA boxes (5510, 5520)

with no problem.

Any clue appritiated.

Thanks

karthik.gopalakrishnan · ‎11-05-2013

Looks like this is the Bug with the problem:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCuj54806

We have removed "inspect icmp" from the Service Policy for the issue to be resolved temporarily.

Thanks.