advice on asa5520 log

Unanswered Question
Sep 30th, 2010
User Badges:

Hi


one of our machine behind asa5520 have strange behalve. the log is:

Deny TCP (no connection) from 10.10.10.5/39708 to 10.10.5.5/22 flags RST on interface inside


my configure is:

object-group network mytest

  network-object 10.0.0.0 255.0.0


access-list outside extended permit ip object-group mytest any log

access-list outside extended permit tcp any any eq ssh


Please advice what possible problem can be?


Any comments will be appreciated


Thanks in advace


julxu

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Thu, 09/30/2010 - 22:03
User Badges:
  • Cisco Employee,

That means the ASA does not find the matching connection entry for that particular SSH traffic.

A couple of reason why we can see that log:

1) ASA already closes down the connection base on the idle timeout, and when the application sends a RST packet, ASA does not have that connection entry anymore, hence the syslog message. This is normal.

2) ASA has an existing new connection for SSH, however, the application itself is sending a RST for previous connection. This is also normal.


Is the SSH connection actually working or not?

julxu Thu, 09/30/2010 - 22:09
User Badges:

Jennifer


great thanks for the quick reply.


actually ssh is not working. if I say the local machine is A1, and outside machine is B1, than I do "ssh B1" form A1. it is frezened.


on A1, I can see the traffic A1 send to B1. but on B1, I can see traffic on both direction. so I guess, it is firewall dropped packet. but why?


Many Regards


julxu

Jennifer Halim Thu, 09/30/2010 - 22:14
User Badges:
  • Cisco Employee,

Can you telnet on port 22 from DOS prompt?

If you are getting a cursor, that means the connection is established.


You can also check: "sh conn | i ", after trying to establish the connection.


Last test is to perform packet capture on both interfaces to see where the packet is dropping.

julxu Wed, 10/06/2010 - 04:09
User Badges:

when I do telnet machine 3186, on firewall I get:


#show conn | i 10.10.5.5 :3186

TCP outside 10.10.5.5:3186 inside 10.10.10.5:45261, idle 0:00:00 byte flags saA

#show conn | i 10.10.5.5:3186

TCP outside 10.10.5.5.:3186 inside 10.10.10.5:45261, idle 0:00:06, byte flags saA

#show conn | i 10.10.5.5:3186

#show conn | i 10.10.5.5:3186


for packet trace, on the 10.10.5.5 (outside box) I can see both traffic, on 10.10.10.5 (inside traffic) I can not see 10.10.5.5:3186 traffic.


is there any implicit rule cause this problem? I do not have problem with ping.

Actions

This Discussion