×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

TCP Deny(No Connection) from x.x.x.x to y.y.y.y flags FIN ACK on Interface outside

Answered Question
Jan 5th, 2014
User Badges:

Hi All,

I am recieving palent of these messages on my ASA 5520. After palenty logs there is TCP Deny(No Connection) from x.x.x.x to y.y.y.y flags RST ACK  on Interface outside also showing.


I dont know the reason behind this. Can you please let me know the reason behind such error messages.


Thanks

Correct Answer by Jouni Forss about 3 years 7 months ago

Hi,


The main information that this message tells us is that there was traffic coming from behind the "outside" interface for which there is no existing connection.


The ASA is always expecting the first packet of the TCP connection to be the TCP SYN from the host that tries to open/form the TCP connection.


If some other TCP packets are coming like this TCP RST ACK it presumes that this is packets for an existing connection. It then checks its connection table but doesnt find an existing connection and therefore drops the traffic.


So to me it seems that this log message indicates traffic for a connection that has already been Teardown (removed from connection table) from the ASA and therefore the ASA doesnt let this traffic through.


Typically the ASA Teardown a TCP Connection when it has seen the closing sequence from both of the hosts involved in the TCP connection. For example Client on the LAN and a Web server on the Internet.


The typical sequence after which the connection is closed is when TCP FIN is sent by both the client and the server and both send TCP ACK to eachothers TCP FIN. After the ASA has seen this sequence of messages/packets it Teardown the connection.


Here is some information about TCP connections

http://www.tcpipguide.com/free/t_TCPConnectionTermination-4.htm


In some cases I presume that the host might also send TCP RST but if the connection has already been removed from the ASA the ASA has no reason to allow this packet through.


What you can do naturally is go through your logs and try to find the log messages for the connections where you see the connection forming and then being teardown. I mean try to find the connection forming/closing logs for the messages that you are getting so you can confirm that the ASA has already seen the client/server close the TCP Connection in the normal way by sending the TCP FIN/ACK messages.


You could also take traffic capture on the ASA or a Client on your LAN to see what is actually happening with certain TCP connections.


My own guess would be that these dont really indicate any actual problem. For example I see these constantly when browsing the Internet on my home ASA5505.


Hope this helps


Please do remember to mark a reply as the correct answer if it answered your question.


Feel free to ask more if needed


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jouni Forss Sun, 01/05/2014 - 09:02
User Badges:
  • Super Bronze, 10000 points or more

Hi,


The main information that this message tells us is that there was traffic coming from behind the "outside" interface for which there is no existing connection.


The ASA is always expecting the first packet of the TCP connection to be the TCP SYN from the host that tries to open/form the TCP connection.


If some other TCP packets are coming like this TCP RST ACK it presumes that this is packets for an existing connection. It then checks its connection table but doesnt find an existing connection and therefore drops the traffic.


So to me it seems that this log message indicates traffic for a connection that has already been Teardown (removed from connection table) from the ASA and therefore the ASA doesnt let this traffic through.


Typically the ASA Teardown a TCP Connection when it has seen the closing sequence from both of the hosts involved in the TCP connection. For example Client on the LAN and a Web server on the Internet.


The typical sequence after which the connection is closed is when TCP FIN is sent by both the client and the server and both send TCP ACK to eachothers TCP FIN. After the ASA has seen this sequence of messages/packets it Teardown the connection.


Here is some information about TCP connections

http://www.tcpipguide.com/free/t_TCPConnectionTermination-4.htm


In some cases I presume that the host might also send TCP RST but if the connection has already been removed from the ASA the ASA has no reason to allow this packet through.


What you can do naturally is go through your logs and try to find the log messages for the connections where you see the connection forming and then being teardown. I mean try to find the connection forming/closing logs for the messages that you are getting so you can confirm that the ASA has already seen the client/server close the TCP Connection in the normal way by sending the TCP FIN/ACK messages.


You could also take traffic capture on the ASA or a Client on your LAN to see what is actually happening with certain TCP connections.


My own guess would be that these dont really indicate any actual problem. For example I see these constantly when browsing the Internet on my home ASA5505.


Hope this helps


Please do remember to mark a reply as the correct answer if it answered your question.


Feel free to ask more if needed


- Jouni

Actions

This Discussion

Related Content