Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2570
Views
0
Helpful
2
Replies

ASA 5510 deny TCP no connection

Go to solution
mark-garner
Level 1
Level 1

‎11-18-2013 11:20 AM - edited ‎03-11-2019 08:06 PM

Just upgraded to ver 8.4.3 from 8.1 and i know the NAT has changed and i am wondering if it converted everything correctly or is there something else i need to do. All traffice seems to flow just fine but small things like this seem to bother me. See the attached SS and config. asa11.png

interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 216.*.*.* 255.255.255.240 
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.** 255.255.254.0 
!
interface Ethernet0/2
 speed 100
 duplex full
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 no ip address
 management-only

!

!

!

boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server 192.168.*.*
 name-server 192.168.*.*
 name-server 192.168.*.*
 domain-name ******
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-192.168.180.0
 subnet 192.168.180.0 255.255.254.0
object network obj-192.168.188.0
 subnet 192.168.188.0 255.255.255.0
object network obj-216.86.7.128
 subnet 216.86.7.128 255.255.255.240
object network obj-192.168.193.0
 subnet 192.168.193.0 255.255.255.0
object network obj-172.27.0.0
 subnet 172.27.0.0 255.255.255.128
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
 subnet 0.0.0.0 0.0.0.0
object network obj-172.25.11.0
 subnet 172.25.11.0 255.255.255.0
object network obj-172.35.0.0
 subnet 172.35.0.0 255.255.254.0
object network SpamBox_1
 host 192.168.180.244
object network SpamBox_2
 host 192.168.180.248
object network Exchange
 host 192.168.180.235
object network PMG
 subnet 192.168.178.0 255.255.255.0
object network Outside_Gateway
 host 216.*.*.*
object network AHCCN
 subnet 172.35.0.0 255.255.254.0
object network PMG-1
 subnet 192.168.178.0 255.255.255.0
object network MM
 subnet 10.90.254.0 255.255.255.0
object network NETWORK_OBJ_172.27.0.0_25
 subnet 172.27.0.0 255.255.255.128
object network NETWORK_OBJ_172.27.0.0_26
 subnet 172.27.0.0 255.255.255.192
object network obj-172.35.1.199
 host 172.35.1.199
object-group service DM_INLINE_SERVICE_2
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp-udp destination eq domain 
 service-object tcp-udp destination eq www 
object-group network DM_INLINE_NETWORK_1
 network-object object obj-172.25.11.0
 network-object object obj-172.35.0.0
 network-object object obj-192.168.180.0
object-group network DM_INLINE_NETWORK_2
 network-object object AHCCN
 network-object object obj-172.25.11.0
 network-object object obj-192.168.180.0
object-group network DM_INLINE_NETWORK_4
 network-object object AHCCN
 network-object object obj-172.25.11.0
 network-object object obj-192.168.180.0
object-group network DM_INLINE_NETWORK_3
 network-object object obj-172.35.0.0
 network-object object obj-192.168.180.0
object-group network DM_INLINE_NETWORK_16
 network-object object MM
 network-object object obj-172.25.11.0
 network-object object obj-172.35.0.0
 network-object object obj-192.168.180.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_5
 network-object object AHCCN
 network-object object MM
 network-object object obj-172.25.11.0
 network-object object obj-172.35.0.0
 network-object object obj-192.168.180.0
object-group network DM_INLINE_NETWORK_6
 network-object object obj-172.25.11.0
 network-object object obj-172.35.0.0
 network-object object obj-192.168.180.0
object-group service DM_INLINE_SERVICE_4
 service-object icmp 
 service-object icmp echo
 service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_5
 service-object tcp-udp destination eq domain 
 service-object tcp destination eq smtp 
 service-object udp destination eq time 
 service-object tcp destination eq ssh 
 service-object icmp echo
 service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_6
 service-object tcp-udp destination eq domain 
 service-object tcp destination eq smtp 
 service-object udp destination eq time 
 service-object tcp destination eq ssh 
 service-object icmp echo
 service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_0
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object tcp destination eq smtp 
object-group network DM_INLINE_NETWORK_7
 network-object object MM
 network-object object obj-172.25.11.0
 network-object object obj-192.168.180.0
 network-object object obj-172.35.0.0
object-group network DM_INLINE_NETWORK_8
 network-object 172.25.11.0 255.255.255.0
 network-object 172.35.0.0 255.255.254.0
object-group service DM_INLINE_SERVICE_7
 service-object ip 
 service-object tcp-udp destination eq domain 
 service-object tcp destination eq citrix-ica 
object-group network DM_INLINE_NETWORK_10
 network-object 172.25.11.0 255.255.255.0
 network-object 172.35.0.0 255.255.254.0
object-group network DM_INLINE_NETWORK_9
 network-object object obj-172.25.11.0
 network-object object obj-172.35.0.0
object-group network DM_INLINE_NETWORK_11
 network-object object obj-172.25.11.0
 network-object object obj-172.35.0.0
object-group network DM_INLINE_NETWORK_13
 network-object object AHCCN
 network-object object obj-172.25.11.0
object-group network DM_INLINE_NETWORK_14
 network-object object AHCCN
 network-object object obj-172.25.11.0
 network-object object obj-192.168.180.0
object-group network DM_INLINE_NETWORK_15
 network-object object AHCCN
 network-object object obj-172.25.11.0
 network-object object obj-192.168.180.0
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_10 object PMG 
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 192.168.188.0 255.255.255.0 
access-list Inside_nat0_outbound extended permit ip object obj-192.168.180.0 object obj-216.*.*.* 
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_3 192.168.193.0 255.255.255.0 
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_7 object obj-172.27.0.0 
access-list Outside_1_cryptomap extended permit ip 192.168.188.0 255.255.255.0 object-group DM_INLINE_NETWORK_14 
access-list Outside_2_cryptomap extended permit ip object obj-192.168.193.0 object-group DM_INLINE_NETWORK_15 
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any any 
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object PMG object-group DM_INLINE_NETWORK_8 
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_0 any object Exchange 
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object SpamBox_1 
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object SpamBox_2 
access-list Outside_access_in extended permit ip 192.168.188.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 
access-list Outside_access_in extended permit ip 192.168.193.0 255.255.255.0 object-group DM_INLINE_NETWORK_4 
access-list Outside_access_in extended deny ip any any 
access-list global_mpc extended permit ip any any 
access-list global_access extended permit udp object obj-172.*** any eq snmp 
access-list global_access extended permit ip object obj-172.2** any 
access-list splitTunnelAcl standard permit 192.168.** 255.255.254.0 
access-list splitTunnelAcl standard permit 172.*** 255.255.254.0 
access-list splitTunnelAcl standard permit 172.25.** 255.255.255.0 
access-list splitTunnelAcl standard permit 10.90.** 255.255.255.0 
access-list Outside_cryptomap_1 extended permit ip object *** object-group DM_INLINE_NETWORK_13 
access-list Inside_access_in extended permit ip any any 
!
!
flow-export destination Inside 192.168.180.109 2055
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool Client_Pool 172.27.0.50-172.27.0.100 mask 255.255.255.0
ip local pool RA_POOL 172.27.0.1-172.27.0.49 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any Inside
asdm history enable
arp timeout 14400
nat (Inside,Outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static obj-192.168.188.0 obj-192.168.188.0 no-proxy-arp
nat (Inside,Outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static obj-192.168.193.0 obj-192.168.193.0
nat (Inside,Outside) source static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9 destination static PMG PMG
nat (Inside,Outside) source static DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_11 destination static PMG PMG no-proxy-arp route-lookup
nat (Inside,Outside) source static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 destination static NETWORK_OBJ_172.27.0.0_25 NETWORK_OBJ_172.27.0.0_25 no-proxy-arp route-lookup
nat (Inside,Outside) source static DM_INLINE_NETWORK_16 DM_INLINE_NETWORK_16 destination static NETWORK_OBJ_172.27.0.0_26 NETWORK_OBJ_172.27.0.0_26 no-proxy-arp route-lookup
!
object network obj_any
 nat (Inside,Outside) dynamic interface
object network SpamBox_1
 nat (Inside,Outside) static 216.*.*.*
object network SpamBox_2
 nat (Inside,Outside) static 216.*.*.*
object network Exchange
 nat (Inside,Outside) static 216.*.*.* dns
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group global_access global
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-18-2013 12:33 PM

Hi,

I don't know if there really is anything in your configuration above that would tell the reason of these error messages in the syslog. Atleast I am not sure what is causing them.

Generally you see the "no connection" log messages for these reasons (atleast)

  • Asymmetric routing: If a host attempts to form a TCP Connection and the ASA doesnt see the whole negotiation (TCP SYN, TCP SYN ACK, TCP ACK) then the ASA will drop the traffic before the TCP connection forms. Though in this case I guess you would typically see TCP SYN ACK in the logs
  • Connection timeout: Application that is used very randomly with very long breaks might timeout (idle) on the firewall and when the user/host attempts to send more data on the TCP connection the ASA will drop the traffic with the "no connection" syslog message since it has already removed the connection for which the host/user is attempting to send more data on.

I guess the main thing is that everything seems to be working.

I would suggest monitoring the logs and seeing if there is any certain hosts for which these log messages repeat and then capture traffic for their connections and see what actually happens to those TCP Connection which are already been removed from the ASA but for which traffic is still coming to the ASA.

You can configure a traffic capture on the ASA itself if needed.

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-18-2013 12:33 PM

Hi,

I don't know if there really is anything in your configuration above that would tell the reason of these error messages in the syslog. Atleast I am not sure what is causing them.

Generally you see the "no connection" log messages for these reasons (atleast)

  • Asymmetric routing: If a host attempts to form a TCP Connection and the ASA doesnt see the whole negotiation (TCP SYN, TCP SYN ACK, TCP ACK) then the ASA will drop the traffic before the TCP connection forms. Though in this case I guess you would typically see TCP SYN ACK in the logs
  • Connection timeout: Application that is used very randomly with very long breaks might timeout (idle) on the firewall and when the user/host attempts to send more data on the TCP connection the ASA will drop the traffic with the "no connection" syslog message since it has already removed the connection for which the host/user is attempting to send more data on.

I guess the main thing is that everything seems to be working.

I would suggest monitoring the logs and seeing if there is any certain hosts for which these log messages repeat and then capture traffic for their connections and see what actually happens to those TCP Connection which are already been removed from the ASA but for which traffic is still coming to the ASA.

You can configure a traffic capture on the ASA itself if needed.

- Jouni

0 Helpful

Go to solution
mark-garner
Level 1
Level 1
In response to Jouni Forss

‎11-18-2013 01:19 PM

I ran a capture and found that the traffic that was being dropped was infact denied traffic from my web-filter behind the ASA. No malicious traffic that i can see. Most of it is denied traffic to adobe updater.. Thanks for the insight, i was just concerned since i started seeing these after the upgrade.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card