deny TCP (no connection)

Unanswered Question
Sep 3rd, 2008

Hi,

I am getting some logs on my ASA v8.0(3) :

<166>Sep 03 2008 14:38:16: %ASA-6-106015: Deny TCP (no connection) from 10.40.62.7/1153 to 10.40.9.54/1521 flags PSH ACK on interface inside

<166>Sep 03 2008 14:42:25: %ASA-6-106015: Deny TCP (no connection) from 10.40.50.41/1521 to 10.40.62.7/4566 flags ACK on interface outside

<166>Sep 03 2008 14:42:26: %ASA-6-106015: Deny TCP (no connection) from 10.40.50.41/1521 to 10.40.62.7/4566 flags ACK on interface outside

<166>Sep 03 2008 14:42:27: %ASA-6-106015: Deny TCP (no connection) from 10.40.50.41/1521 to 10.40.62.7/4566 flags ACK on interface outside

<166>Sep 03 2008 14:42:28: %ASA-6-106015: Deny TCP (no connection) from 10.40.50.41/1521 to 10.40.62.7/4566 flags ACK on interface outside

<166>Sep 03 2008 14:42:29: %ASA-6-106015: Deny TCP (no connection) from 10.40.50.41/1521 to 10.40.62.7/4566 flags ACK on interface outside

<166>Sep 03 2008 14:46:56: %ASA-6-106015: Deny TCP (no connection) from 10.40.62.7/1782 to 10.40.68.10/8443 flags RST on interface inside

<166>Sep 03 2008 14:47:30: %ASA-6-106015: Deny TCP (no connection) from 10.40.50.41/1521 to 10.40.62.7/1411 flags ACK on interface outside

<166>Sep 03 2008 14:47:31: %ASA-6-106015: Deny TCP (no connection) from 10.40.50.41/1521 to 10.40.62.7/1411 flags ACK on interface outside

<166>Sep 03 2008 14:47:32: %ASA-6-106015: Deny TCP (no connection) from 10.40.50.41/1521 to 10.40.62.7/1411 flags ACK on interface outside

<166>Sep 03 2008 14:47:33: %ASA-6-106015: Deny TCP (no connection) from 10.40.50.41/1521 to 10.40.62.7/1411 flags ACK on interface outside

<166>Sep 03 2008 14:47:34: %ASA-6-106015: Deny TCP (no connection) from 10.40.50.41/1521 to 10.40.62.7/1411 flags ACK on interface outside

<166>Sep 03 2008 15:13:16: %ASA-6-106015: Deny TCP (no connection) from 10.40.62.7/4566 to 10.40.50.41/1521 flags PSH ACK on interface inside

<166>Sep 03 2008 15:28:52: %ASA-6-106015: Deny TCP (no connection) from 10.40.62.7/2034 to 10.40.50.31/80 flags RST on interface inside

<166>Sep 03 2008 15:28:52: %ASA-6-106015: Deny TCP (no connection) from 10.40.62.7/2034 to 10.40.50.31/80 flags RST on interface inside

<166>Sep 03 2008 15:49:00: %ASA-6-106015: Deny TCP (no connection) from 10.40.62.7/2215 to SRV_PROXY_DNS_10_106_23_20/8080 flags RST on interface inside

<166>Sep 03 2008 15:52:25: %ASA-6-106015: Deny TCP (no connection) from 10.40.50.31/80 to 10.40.62.7/2356 flags ACK on interface outside

This is a filter of one day log messages.

I decide to filter 10.40.62.7 and "Deny TCP (no connection)" because this client has some problem of deconnection with an Oracle Client.

I increase the timeout time of TCP but it doesn't seem to be better.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
smahbub Tue, 09/09/2008 - 08:15

Error Message - %PIX|ASA-6-106015: Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name.

Explanation - The security appliance discarded a TCP packet that has no associated connection in the security appliance connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.

Recommended Action - None required unless the security appliance receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.

suschoud Tue, 09/09/2008 - 10:05

PLease look for the " teardown " message rather then what you are filtering now.

That will tell us why the connection was terminated in the first place.After the connection was terminated,still the server 10.40.50.41 is sending traffic which is being denied by f/w. ( for obvious reason that there is no associated connection and to create a conneciton,the SYN bit should be sent.)

Regards,

Sushil

Actions

This Discussion