Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19305
Views
0
Helpful
5
Replies

Deny TCP No connection from inside to outside

Go to solution
mahesh18
Level 6
Level 6

‎02-01-2014 05:20 PM - edited ‎03-11-2019 08:39 PM

Hi Everyone,

Client PC is accessing the server .

Below are logs from firewall

Jan 30 2014 20:47:04: %ASA-6-302014: Teardown TCP connection 1005516219 for RC:172.23.35.102/45758 to XNet:172.25.27.8/2002 duration 0:00:00 bytes 5435 TCP FINs

Jan 30 2014 20:47:04: %ASA-6-302013: Built inbound TCP connection 1005516229 for RC:172.23.35.102/45759 (172.23.35.102/45759) to XNet:172.25.27.8/2002 (172.25.27.8/2002)

Jan 30 2014 20:47:04: %ASA-6-106015: Deny TCP (no connection) from 172.23.35.102/45758 to 172.25.27.8/2002 flags ACK on interface RC


Does this mean that client PC send TCP syn to server and before server reply with SYN,ACK the Client again send the SYN towards the server and ASA

receive the ACK on interface RC  from the client?

Regards

MAhesh

1 person had this problem
Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎02-01-2014 07:23 PM

Hello Mahesh,

No, This means that the connection was closed and afterwards the client try to access the server over the same connection so the Firewall will refuse that.

There is a sysopt command to reduce the time  where the ASA refuses packets over the same traffic flow/connection that was previously closed (Default time is 15 seconds)

Command is

sysopt connection timewait #

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎02-02-2014 10:15 AM

Hi Mahesh,

Notice the source port of the connection.

The first log message clearly indicates that this connection was normally torn down on the firewall because it saw the normal closing sequence of the TCP Connection (TCP FINs)

The next message is the host forming a new connection (notice again the different source port). This is not related to the other 2 messages.

The final log message seems to indicate that there is a packet for the previous connection that was already tore down by the ASA. To my understanding the ASA should teardown the connection if it has seen the normal closing sequence. So that makes me wonder why the client would still be sending TCP ACK. Unless it still somehow related to the connection termination.

The Client should not send anything to the server after the TCP SYN (other than new TCP SYN) if it never received the TCP ACK (and SYN = TCP SYN ACK) from the server to acknowledge that the server has received the clients initial TCP SYN. The client will simply send a few TCP SYN at certain intervals until the connection attempt timeouts if it never receives the TCP SYN ACK from the server.

Naturally a traffic capture would tell much more if there is some problems with the connecitivity and you want to take a closer look.

- Jouni

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎02-02-2014 10:22 AM

Hello Mahesh,

My pleasure to answer them:

Client sends SYN to the server right?

Yes, the server innitiates the TCP connection.

Client does not receive SYN,ACK from the server right?

I would need to see the entire flow as what is shown by you is after the connection is torn-down but apparently the session was built so yes.

Firewall closes the connection and just after that

Client sends ACK to the ASA right?

The firewall is not the one closing the session, actually both ends agree to close it using the Graceful Termination TCP packets or FIN.

The ASA as saw that the connection was closed by each of the client removes it from the conn table so it should NOT receive any other packet from that specific session.

There are some applications that will use the same traffic flow for a new session after has been closed and this causes issues with Firewalls.

Does it mean that if client does not receive syn,ack from the server within 15 secs it still sends ACK to the Server?

is this default behaviour?

No, again it means that the connection was closed and the asa inmediatly receive a packet for the connection that was closed-.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎02-01-2014 07:23 PM

Hello Mahesh,

No, This means that the connection was closed and afterwards the client try to access the server over the same connection so the Firewall will refuse that.

There is a sysopt command to reduce the time  where the ASA refuses packets over the same traffic flow/connection that was previously closed (Default time is 15 seconds)

Command is

sysopt connection timewait #

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Julio Carvajal

‎02-02-2014 08:39 AM

Hi Julio,

I am trying to understand the traffic flow here.

So initally  Client send syn to the server and traffic goes via ASA.

Then server sends SYN,ACK back to the Client.

Then client send final ACK to the server.

But in this case if you can answer the few questions below please ----

Client sends SYN to the server right?

Client does not receive SYN,ACK from the server right?

Firewall closes the connection and just after that

Client sends ACK to the ASA right?

Does it mean that if client does not receive syn,ack from the server within 15 secs it still sends ACK to the Server?

is this default behaviour?

Regards

Mahesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎02-02-2014 10:15 AM

Hi Mahesh,

Notice the source port of the connection.

The first log message clearly indicates that this connection was normally torn down on the firewall because it saw the normal closing sequence of the TCP Connection (TCP FINs)

The next message is the host forming a new connection (notice again the different source port). This is not related to the other 2 messages.

The final log message seems to indicate that there is a packet for the previous connection that was already tore down by the ASA. To my understanding the ASA should teardown the connection if it has seen the normal closing sequence. So that makes me wonder why the client would still be sending TCP ACK. Unless it still somehow related to the connection termination.

The Client should not send anything to the server after the TCP SYN (other than new TCP SYN) if it never received the TCP ACK (and SYN = TCP SYN ACK) from the server to acknowledge that the server has received the clients initial TCP SYN. The client will simply send a few TCP SYN at certain intervals until the connection attempt timeouts if it never receives the TCP SYN ACK from the server.

Naturally a traffic capture would tell much more if there is some problems with the connecitivity and you want to take a closer look.

- Jouni

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎02-02-2014 10:22 AM

Hello Mahesh,

My pleasure to answer them:

Client sends SYN to the server right?

Yes, the server innitiates the TCP connection.

Client does not receive SYN,ACK from the server right?

I would need to see the entire flow as what is shown by you is after the connection is torn-down but apparently the session was built so yes.

Firewall closes the connection and just after that

Client sends ACK to the ASA right?

The firewall is not the one closing the session, actually both ends agree to close it using the Graceful Termination TCP packets or FIN.

The ASA as saw that the connection was closed by each of the client removes it from the conn table so it should NOT receive any other packet from that specific session.

There are some applications that will use the same traffic flow for a new session after has been closed and this causes issues with Firewalls.

Does it mean that if client does not receive syn,ack from the server within 15 secs it still sends ACK to the Server?

is this default behaviour?

No, again it means that the connection was closed and the asa inmediatly receive a packet for the connection that was closed-.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Julio Carvajal

‎02-05-2014 02:16 PM

Hi Jouni & Julio,

Seems issue was routing.

Thanks for explaining we in detail.

Regards

MAhesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card