Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
513
Views
0
Helpful
4
Replies

ASA Denys for Source 443

mikedelafield
Level 1
Level 1

‎04-10-2014 06:08 AM - edited ‎03-11-2019 09:03 PM

Hi guys.

We are seeing large number of logged Deny messages for what seem to be the reverse outbound leg of incoming SSL connections.

In the logs we see continual Denys with source IP of an internal server and source port tcp/443.

The destination in each case is a legitimate client IP address and high port.

4 Apr 10 2014 15:04:57 1.1.1.1 443 15.15.15.15 64213 access-list DMZ_access_in_1 denied tcp DMZ/1.1.1.1(443) -> outside/15.15.15.15(64213)

So the server inside the DMZ is replying to a client, but is being blocked by the ASA for some reason.

As the traffic analysis should be stateful I don't really understand why we are seeing this.

Despite this we have not experienced any obvious problems so far.

Has anyone experienced similar issue or logging instance?

 

Thanks.

Mike

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-10-2014 07:48 AM

I've seen similar log messages for the final packet in a flow. I had found a reference that I can't put my finger on right now that explained that once the TCP connection record was removed from the ASA, the normal logic that bypasses the interface ACL no longer applies and thus you get this syslog artifact.

It may or may not be what you're seeing, a capture of the traffic correlated to the log entry time would confirm or deny this possibility.

0 Helpful

mikedelafield
Level 1
Level 1
In response to Marvin Rhoads

‎04-10-2014 12:19 PM

Thanks Marvin.

That's interesting as an idea and hopefully thats all it is the final packet as the alternative is that genuine packets are being dropped!

Although as I say so far we haven't noticed any obvious problems because of it.

Hopefully someone else has also experienced the problem and has an understanding of it.

Mike

0 Helpful

mikedelafield
Level 1
Level 1
In response to mikedelafield

‎08-21-2014 05:20 AM

Hi guys.

Does anyone have idea on this as we're still seeing outbound connections sourced with TCP/443.

 We host an SSL page and the traffic seems linked, but why would the return traffic be blocked by the ASA?

We have not observed any actualy problems other than these messages but it is very strange.

If anyone has any ideas or has seen similar please let me know!

4Aug 21 201414:15:23 1.1.1.14432.2.2.2250452access-list DMZ_access_in_1 denied tcp DMZ/1.1.1.1(443) -> outside/2.2.2.2(50452) hit-cnt 1 first hit [0x8c22f0ef, 0x0]
0 Helpful

nkarthikeyan
Level 7
Level 7
In response to mikedelafield

‎08-21-2014 05:59 AM

Hi,

 

Can you try to capture the traffic between those selected hosts?.... Once we get the traffic initiated and flow through, we should be able to find why the packets is getting initiated....

do you have any special configurations such as tcp-bypass or something configured?

 

Same time if you check on the connection for that specific host... does that result that as a new connection?

 

do you have any specific configuration in the application server @ dmz zone?

 

Regards

Karthik

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card