ASA log - Deny tcp fin ack on int mgmt

Unanswered Question
May 19th, 2009
User Badges:

While in ASDM via the management interface, I get ASA log entries every 30 seconds with 'deny TCP (no connection) from *** to ***/443 flags FIN ACK on interface management'. Operation of ASDM is not impacted, but I'd like to correct this if possible.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
handsy Tue, 05/19/2009 - 07:41
User Badges:

I have exactly the same problem, and would love to know a fix too.

mlpalmer Fri, 05/22/2009 - 10:16
User Badges:

Opened a TAC case. I'll make sure the results get posted.

suschoud Fri, 05/22/2009 - 12:15
User Badges:
  • Gold, 750 points or more

I did a recreate in my lab.I saw the exact same behaviour.

What we all are seeing appears to be a normal behavior.

When you load up ASDM, there is one main connection to the ASA interface on port 443 via which GUI is populated. The other possible connection

could be logging connection via which ASDM gets logs from ASA.

Apart from this, if there is any command which you need to execute from ASDM, or when you navigate through ASDM windows/frames, most of them would cause ASDM to send a command to ASA and use the output to populate

the fields on GUI. These commands are *not* sent on the same connection via which GUI is visible, but via a new separate connection. As soon as

ASA gets the output, the connection is closed and the FIN+ACK is denied because connection no longer exists.

mlpalmer Fri, 05/22/2009 - 12:19
User Badges:

That is exactly my point and I would view this as a deficiency. The ASA should be able to properly terminate connections, especially from / to itself.

Let me know if you agree or disagree with the assessment.

Also, I opened a dialog on NetPro on this topic. Would you be willing to post your respose there too? At least one other person was seeking a resolution for this issue.


Mike Palmer

Bremer Financial.


This Discussion