Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

deny statement in FWSM

i am receiving "DENY TCP (connection marked for Deletion) from 10.20.1.x/3698 to 10.17.0.23/4343 flags SYN on interface tech on my FWSM

I verfied there is no rule in place that would cause this deny.

We have several dns servers in the "services" vrf (same group as the one we are having issues with) and do not get a deny statement if access them with

https://10.17.x.x:4343/officescan

I run a debug on where I am successfull and one where I am not

10.17.0.23 works

10.17.0.5 not working

the server and user has no restrictions

I am not sure what is dropping the traffic. The rules in the FWSM is applied to the whole group, but only 1 server in the group is having issues

any ideas?

From tech interface:

>>

>> 40: 14:20:07.936075278 802.1Q vlan#901 P0 10.20.1.143.2277 >

>> 10.17.0.5.4343: S 2416386804:2416386804(0) win 65535 <mss

>> 1460,nop,nop,sackOK>

>> 41: 14:20:07.936075278 802.1Q vlan#901 P0 10.17.0.5.4343 >

>> 10.20.1.143.2277: R 0:0(0) ack 2416386805 win 0

>> 42: 14:20:08.936075788 802.1Q vlan#901 P0 10.20.1.143.2277 >

>> 10.17.0.5.4343: S 2416386804:2416386804(0) win 65535 <mss

>> 1460,nop,nop,sackOK>

>> 43: 14:20:08.936075788 802.1Q vlan#901 P0 10.17.0.5.4343 >

>> 10.20.1.143.2277: R 0:0(0) ack 2416386804 win 65535 <mss

>> 1460,nop,nop,sackOK>

>> 44: 14:20:14.936081808 802.1Q vlan#901 P0 10.20.1.143.2277 >

>> 10.17.0.5.4343: S 2416386804:2416386804(0) win 65535 <mss

>> 1460,nop,nop,sackOK>

>> 45: 14:20:14.936081808 802.1Q vlan#901 P0 10.17.0.5.4343 >

>> 10.20.1.143.2277: R 0:0(0) ack 2416386805 win 0

>>

>>> From service interface:

>>

>> 40: 14:20:07.936075278 802.1Q vlan#902 P0 10.20.1.143.2277 >

>> 10.17.0.5.4343: S 188462670:188462670(0) win 65535 <mss

>> 1380,nop,nop,sackOK>

>> 41: 14:20:07.936075278 802.1Q vlan#902 P0 10.17.0.5.4343 >

>> 10.20.1.143.2277: R 0:0(0) ack 188462671 win 0

>> 42: 14:20:14.936081808 802.1Q vlan#902 P0 10.20.1.143.2277 >

>> 10.17.0.5.4343: S 2238373880:2238373880(0) win 65535 <mss

>> 1380,nop,nop,sackOK>

>> 43: 14:20:14.936081808 802.1Q vlan#902 P0 10.17.0.5.4343 >

>> 10.20.1.143.2277: R 0:0(0) ack 2238373881 win 0

1 REPLY
New Member

Re: deny statement in FWSM

forgot to add

FWSM/schools# sh local 10.17.0.5
IPv4 local hosts:
local host: <10.17.0.5>, tcp conn(s)/limit = 0/0, embryonic(s)/limit = 0/0 udp c                                     onn(s)/limit = 14/0
    Xlate(s):
        Global 10.17.0.5 Local 10.17.0.5
IPv6 local hosts:
FWSM/schools#

i did clear the local 1017.0.5 - but that did not seem to help. it appears that all the other dns servers have the same output and the other servers which is in the same group just have the output

FWSM/schools# sh local 10.17.0.23
IPv4 local hosts:
IPv6 local hosts:
FWSM/schools#

372
Views
0
Helpful
1
Replies
CreatePlease to create content