Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8739
Views
0
Helpful
3
Replies

ASA firewall logging issue

swim_or_die
Level 1
Level 1

‎01-26-2010 02:09 PM - edited ‎03-11-2019 10:02 AM

Greetings,

We are running several ASA 5540 pairs in Active/Active transparent mode (software version 8.2(1).)  We are trying to find an explanation for some curious syslog traffic generated by these pairs.

No nat-control is enabled.  Security levels are set as follows:

MG-OUTSIDE: 90

MG-INSIDE: 10

I understand that these interface security levels are contrary to normal configuration, but it was engineered by our client in this manner for reasons that are not germaine to this issue.

Correct me if I'm wrong, but with nat-control disabled and access-lists applied to both interfaces, this essentially renders the security level moot.

You will notice that in the built and teardown connections log entries, the well-known port is listed as the source and the ephemeral port is listed as the destination.  In this case, the source addresses are web servers (100.165,166) and the destination addresses are web clients.  I'm looking for an explanation as to why the logs output the traffic in this manner; why aren't the sessions showing connections built/torn down by the web clients to the web servers, instead of vice-versa?

%ASA-6-302013: Built outbound TCP connection 7827084 for INSIDE:x.x.100.165/443 (x.x.100.165/443) to OUTSIDE:x.x.124.164/3465 (x.x.124.164/3465)
%ASA-6-302013: Built outbound TCP connection 7827085 for INSIDE:x.x.100.166/443 (x.x.100.166/443) to OUTSIDE:x.x.221.133/2894 (x.x.221.133/2894)
%ASA-6-302013: Built outbound TCP connection 7827086 for INSIDE:x.x.100.165/443 (x.x.100.165/443) to OUTSIDE:x.x.124.164/3466 (x.x.124.164/3466)
%ASA-6-302014: Teardown TCP connection 7827083 for INSIDE:x.x.100.165/443 to OUTSIDE:x.x.124.164/3464 duration 0:00:00 bytes 13824 TCP FINs
%ASA-6-302014: Teardown TCP connection 7827082 for INSIDE:x.x.100.166/443 to OUTSIDE:x.x.221.133/2893 duration 0:00:00 bytes 1284 TCP FINs
%ASA-6-302013: Built outbound TCP connection 7827087 for INSIDE:x.x.100.165/443 (x.x.100.165/443) to OUTSIDE:x.x.124.164/3467 (x.x.124.164/3467)
%ASA-6-302013: Built outbound TCP connection 7827088 for INSIDE:x.x.100.166/443 (x.x.100.166/443) to OUTSIDE:x.x.126.227/2145 (x.x.126.227/2145)
%ASA-6-302013: Built outbound TCP connection 7827089 for INSIDE:x.x.100.165/443 (x.x.100.165/443) to OUTSIDE:x.x.124.164/3468 (x.x.124.164/3468)
%ASA-6-302014: Teardown TCP connection 7827084 for INSIDE:x.x.100.165/443 to OUTSIDE:x.x.124.164/3465 duration 0:00:00 bytes 7397 TCP FINs
%ASA-6-302014: Teardown TCP connection 7827081 for INSIDE:x.x.100.166/443 to OUTSIDE:x.x.94.168/4186 duration 0:00:00 bytes 5825 TCP FINs
%ASA-6-302014: Teardown TCP connection 7827086 for INSIDE:x.x.100.165/443 to OUTSIDE:x.x.124.164/3466 duration 0:00:00 bytes 2787 TCP FINs
%ASA-6-302013: Built outbound TCP connection 7827090 for INSIDE:x.x.100.166/443 (x.x.100.166/443) to OUTSIDE:x.x.94.168/4187 (x.x.94.168/4187)
%ASA-6-302013: Built outbound TCP connection 7827091 for INSIDE:x.x.100.165/443 (x.x.100.165/443) to OUTSIDE:x.x.21.86/2710 (x.x.21.86/2710)
%ASA-6-302014: Teardown TCP connection 7827087 for INSIDE:x.x.100.165/443 to OUTSIDE:x.x.124.164/3467 duration 0:00:00 bytes 5417 TCP FINs
%ASA-6-302014: Teardown TCP connection 7827089 for INSIDE:x.x.100.165/443 to OUTSIDE:x.x.124.164/3468 duration 0:00:00 bytes 3990 TCP FINs
%ASA-6-302013: Built outbound TCP connection 7827093 for INSIDE:x.x.100.166/443 (x.x.100.166/443) to OUTSIDE:x.x.221.133/2895 (x.x.221.133/2895)
%ASA-6-302014: Teardown TCP connection 7827085 for INSIDE:x.x.100.166/443 to OUTSIDE:x.x.221.133/2894 duration 0:00:00 bytes 5509 TCP FINs
%ASA-6-302013: Built outbound TCP connection 7827095 for INSIDE:x.x.100.165/443 (x.x.100.165/443) to OUTSIDE:x.x.124.164/3469 (x.x.124.164/3469)
%ASA-6-302013: Built outbound TCP connection 7827096 for INSIDE:x.x.100.166/443 (x.x.100.166/443) to OUTSIDE:x.x.107.227/2746 (x.x.107.227/2746)
%ASA-6-302013: Built outbound TCP connection 7827097 for INSIDE:x.x.100.166/443 (x.x.100.166/443) to OUTSIDE:x.x.107.21/3374 (x.x.107.21/3374)

More entries, this time with normal source and destination ports. in this case, clients on the inside interface are connecting to an enterprise server on the outside interface (8444 is a port for one of our enterprise apps):

%ASA-6-302013: Built inbound TCP connection 7776207 for INSIDE:x.x.100.41/60989 (x.x.100.41/60989) to OUTSIDE:x.x.59.64/8444 (x.x.59.64/8444)
%ASA-6-302013: Built inbound TCP connection 7776218 for INSIDE:x.x.100.41/60990 (x.x.100.41/60990) to OUTSIDE:x.x.59.64/8444 (x.x.59.64/8444)
%ASA-6-302014: Teardown TCP connection 7776218 for INSIDE:x.x.100.41/60990 to OUTSIDE:x.x.59.64/8444 duration 0:00:00 bytes 1656 TCP Reset-O

Any ideas?

Thanks,

-Steve

Labels:
0 Helpful
3 Replies 3

Kureli Sankar
Cisco Employee
Cisco Employee

‎01-26-2010 05:03 PM

Do you have tcp state-bypass configured?

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1428242

If so, there probably is asymmetry going on.

The request may be reaching the server via another path and only the response is seen through this firewall. With tcp state bypass this may be considered just like any other udp packet and allowed.

-KS

0 Helpful

swim_or_die
Level 1
Level 1
In response to Kureli Sankar

‎01-27-2010 02:46 PM

KS,

Thank you for looking into this.  My first response after reviewing the command in question is that there is no asymmetric routing going on, as the firewall is in transparent mode and sits in front of a stub network and has only a default route out of the outside interface.  I don't have visibility or administrative control over the next hop.  I do know the traffic in question traverses an MPLS cloud, and that the return traffic may take a different path, but I'm not sure how that's going to affect the state table.

In any case, "tcp state-bypass" is not configured on the firewall, assuming it shows up in the running config under the class-map/policy-map section of the config.

-Steve

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to swim_or_die

‎01-27-2010 06:51 PM

Steve,

I just checked the logs on an ASA5505 (routed mode) running 8.2.1. From a host on the high security interface I just loaded google by its ip address.

Jan 27 2010 21:00:16: %ASA-6-302013: Built outbound TCP connection 74804 for outside:72.14.204.99/80 (72.14.204.99/80) to inside:192.168.2.2/3037 (172.18.254.34/13128)

I guess it would make sense if it says "Built outbound connection for inside 192.168.2.2 to outside 72.14.204.99".

Your logg

%ASA-6-302013: Built outbound TCP connection 7827084 for INSIDE:x.x.100.165/443 (x.x.100.165/443) to OUTSIDE:x.x.124.164/3465 (x.x.124.164/3465)

says that it built an outbound connection for source OUTSIDE: x.x.124.164 to destination INSIDE x.x.100.165/443

The flow is from high to low. I have even checked 7.2 syslogs and they are the same. So, it appears normal. I guess with the inverted security level and the "to" and "for" sorta switched in the syslog you got confused.

Here is the syslog link:

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4770603

Error Message    %ASA-6-302013: Built {inbound|outbound} TCP connection_id for 
interface:real-address/real-port (mapped-address/mapped-port) to 
interface:real-address/real-port (mapped-address/mapped-port) [(user)]

-KS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card