×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Logging half-open conections to blocked Windows ports

Unanswered Question
Jan 25th, 2014
User Badges:
  • Bronze, 100 points or more

Background:


Usually when we have a problem with a VPN user attempting to connect

to an inside service, we turn to our ASA syslogs to determine where the

connection is being prohibited (or other errors such as the user trying

to connect to the wrong machine.)  This works fine for normally configured

(UNIX) servers which send an ICMP reject message.  Recently we had to

diagnose problems connecting to an inside Windows device, and although

the VPN client had attempted to connect, no log message was produced

because the connection never got a TCP RST nor ICMP reject.


From what I can suss out from MSDN, turning off "stealth mode" on Windows

boxes to return those boxes to sane ICMP reject behavior is either not completely

supported, or at the very least misguidedly discouraged by Microsoft, and so I

might not be able to convince various Windows administrators to alter this policy.


Question:


Is there a way to get log messages bearing the IP tuples for TCP and/or UDP

incomplete connections where the ASA sees only packets destined for an inside host?

This would be for a small number (<50) of VPN remote clients, so we

are not very worried about a DDOS saturating the logs -- these packets are

not attacks just mistakes.


We would need this to happen even for single packets, and without actually

dropping traffic from the initiator, so threat-detection probably won't do the

trick here, unless it can be made to audit-only on single packets.


VPN is all this ASA device is doing, so it likely an afford the CPU for configurations

normally deemed too CPU intense.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Sun, 01/26/2014 - 03:48
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Wouldnt you be essentially looking for connection "Teardown" messages with reason SYN Timeout? As this should be the result if either the ASA doesnt seen the return SYN ACK or the last ACK from the connection initiator? This would usually be generated after 20-30 seconds if the connection doesnt form.


I am not really sure about the UDP. Rarely have to troubleshoot UDP connections. The very rare cases usually relate to Video/Voice and in there I usually see ICMP messages returned for a port that the destination device is not listening on. And while troubleshooting these I tend to take captures on the actual ASA.


Think the Teardown Syslog ID for TCP connections is ASA-6-302013


This is usually the first Syslog ID I look for from the server when someone reports a problem with connectivity.


By default its a Informational level log message or naturally it can be changed to something else if your logging is for example set to Notifications.


Heres the link to the Cisco document about this log message

http://www.cisco.com/en/US/docs/security/asa/syslog-guide/logmsgs.html#wp6941209


- Jouni

Peter Koltl Sun, 01/26/2014 - 23:02
User Badges:
  • Silver, 250 points or more
  • Community Spotlight Award,

    Member's Choice, March 2016

For live troubleshooting the following command is useful:

show conn detail long


Silent servers are marked with SAa flags.

Actions

This Discussion

Related Content