advice on asa5520 log

Unanswered Question
Sep 30th, 2010

Hi

one of our machine behind asa5520 have strange behalve. the log is:

Deny TCP (no connection) from 10.10.10.5/39708 to 10.10.5.5/22 flags RST on interface inside

my configure is:

object-group network mytest

  network-object 10.0.0.0 255.0.0

access-list outside extended permit ip object-group mytest any log

access-list outside extended permit tcp any any eq ssh

Please advice what possible problem can be?

Any comments will be appreciated

Thanks in advace

julxu

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Thu, 09/30/2010 - 22:03

That means the ASA does not find the matching connection entry for that particular SSH traffic.

A couple of reason why we can see that log:

1) ASA already closes down the connection base on the idle timeout, and when the application sends a RST packet, ASA does not have that connection entry anymore, hence the syslog message. This is normal.

2) ASA has an existing new connection for SSH, however, the application itself is sending a RST for previous connection. This is also normal.

Is the SSH connection actually working or not?

julxu Thu, 09/30/2010 - 22:09

Jennifer

great thanks for the quick reply.

actually ssh is not working. if I say the local machine is A1, and outside machine is B1, than I do "ssh B1" form A1. it is frezened.

on A1, I can see the traffic A1 send to B1. but on B1, I can see traffic on both direction. so I guess, it is firewall dropped packet. but why?

Many Regards

julxu

Jennifer Halim Thu, 09/30/2010 - 22:14

Can you telnet on port 22 from DOS prompt?

If you are getting a cursor, that means the connection is established.

You can also check: "sh conn | i ", after trying to establish the connection.

Last test is to perform packet capture on both interfaces to see where the packet is dropping.

julxu Wed, 10/06/2010 - 04:09

when I do telnet machine 3186, on firewall I get:

#show conn | i 10.10.5.5 :3186

TCP outside 10.10.5.5:3186 inside 10.10.10.5:45261, idle 0:00:00 byte flags saA

#show conn | i 10.10.5.5:3186

TCP outside 10.10.5.5.:3186 inside 10.10.10.5:45261, idle 0:00:06, byte flags saA

#show conn | i 10.10.5.5:3186

#show conn | i 10.10.5.5:3186

for packet trace, on the 10.10.5.5 (outside box) I can see both traffic, on 10.10.10.5 (inside traffic) I can not see 10.10.5.5:3186 traffic.

is there any implicit rule cause this problem? I do not have problem with ping.

Actions

This Discussion