Return traffic from port 80 denied

Unanswered Question
Aug 11th, 2008

Hi all,

I have seen this a lot with routers and PIXs. Traffic with a source port of port 80 and destination of a dynamic port is denied on the outside interface.

The traffic is from legitimate web servers that users are browsing through the NATed inspected interface. The websites appear to be working fine though. It does produce a lot of denies in my MARS logging though.

It this normal or do I have a config problem? Is there something up with the web server not returning traffic correctly?

I have attached the sanitised config.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Mon, 08/11/2008 - 22:15

try to add the

inspect http

to the

policy-map global_policy

class inspection_default

good luck

fsmontenegro Tue, 08/12/2008 - 04:25

Hi,

I'm seeing something similar on ASAs with 7.2(4): very, very busy logging because of connections that are "denied" usually related to the regular traffic.

The best explanation I have so far (I'm still researching) is that the client connections (or server, for that matter) are being closed with TCP Resets from one side and any traffic from the other side gets immediately denied as the PIX/ASA clears the state table for that connection.

It is also making a mess of my MARS logging...

robertson.michael Tue, 08/12/2008 - 14:15

Hi,

I would start by taking a look at a couple of things:

1. Do you see the connection being built as the initial SYN comes through? If so, what interfaces is the connection built between?

2. What do the syslogs show as a deny reason? If you see the packet being denied due to "no connection", do the interfaces involved match the ones that you saw when the connection was built?

Often times, this behavior will be caused by asymmetric routing/alternate paths to the Internet in your network. As an example, the initial SYN of the TCP connection may find its way out to the Internet through a path other than the firewall. The web server will still receive this SYN and respond with a SYN-ACK as expected. However, when this SYN-ACK hits the outside interface of the ASA, the ASA will drop the traffic because it never saw the initial SYN and it believes that the SYN-ACK is unsolicited.

Take a look at the syslogs that show if the initial connection is being built and also the logs that show the reason why the return traffic is being denied. Also, packet captures will be useful in figuring out exactly how the packets are flowing through your network.

Hope that helps.

-Mike

scottyd Tue, 08/12/2008 - 14:42

Thanks all for your feedback.

I have tried the inspect http command and have yet to see traffic on port 80 being denied. Not sure if it has been resolved yet. However I am still getting problems for HTTPS.

It seems to me that the connection is built up then it is torn down 10 seconds later and packets are denied. Then it is built up again.

I have attached the log from MARS. It is in reverse order in time. I have replaced the public IP with 1.1.1.1 and the website as 2.2.2.2.

thanks

Scott

Attachment: 
robertson.michael Wed, 08/13/2008 - 11:21

Hi Scott,

It looks like the logs show your connection being torn down due to normal TCP FINs. I would recommend getting packet captures on both sides of the firewall to see exactly what the connection looks like.

-Mike

joe.favia Wed, 08/13/2008 - 06:43

Hi,

I've seen this type of error when there are routing problems in ACTIVE-ACTIVE firewall configurations, but this doesn't seem to be your case.

Joe

scottyd Mon, 10/13/2008 - 19:48

Thanks for your input so far.

I still can not find the problem. Unfortunatly it is diffcult for me to sniff the traffic, as it is remote to me.

I am also seeing Resets tearing down the connection. Is there a way of extending the teardown time?

<134>Oct 14 2008 15:48:01: %ASA-6-302014: Teardown TCP connection 317­7146 for outside:198.133.219.25/80 to inside:172.16.0.29/2158 duration 0:00­:02 bytes 5191 TCP Reset-I

<134>Oct 14 2008 15:48:01: %ASA-6-106100: access-list outside_access_­in denied tcp outside/198.133.219.25(80) -> inside/2.2.2.2(44219)­ hit-cnt 1 first hit [0x2c1c6a65, 0x0]

Actions

This Discussion