Hi Jouni,

You are absolutely correct that log was created due to asymmetric routing issue.

I fixed the routing issue and all is well now.

But for my understanding need to learn what does log mean here.

Traffic to destination was going via interface Test1 and when return traffic comes back to this firewall it was coming on

interface Test.

After routing issue fixed return traffic was coming back on interface Test1.

so now  if we look at log again

%ASA-6-106100: access-list Test_access_in denied tcp Test1/172.24.x.x(443) -> Test/172.16.x.x(53310) hit-cnt 1 first hit [0x55b05541, 0x7c3c1e84]

Can we conclude that traffic is coming  on interface Test and is trying to go to  interface Test1  of the same ASA?

Source is 172.16  and destination is 172.24?

It did not allow traffic from interface Test to Test1 because there is no ACL  to allow traffic from interface Test to Test1?

Regards

Mahesh

Message was edited by: mahesh parmar

Hi,

I am not quite sure about the situation. It seems to me that the initial connection would have come from Test to Test1 looking at the ports.

It would probably best to see the "packet-tracer" output for this same connection

packet-tracer input Test tco 172.16.x.x 12345 172.24.x.x 443

Perhaps also the output of

show run access-group

- Jouni

Hi Jouni,

Packettracer does not work.

Return traffic comes from interface Test to Test1.

access-group Test_access_in in interface Test1

access-group Test in interface Test

Regards

Mahesh

Hi Mahesh,

Please provide the packet-tracer

packet-tracer input Test tcp 172.16.x.x 12345 172.24.x.x 443

Regards,

Harvey

Hi Mahesh,

The "packet-tracer" should work. Just make sure you insert the actual IP addresses to the command instead of the ones with the "x.x" since you didnt mention the full IP addresses in your posts

- Jouni

Hi Jouni,

I  found this from ASA -syslog message pdf

Error Message %ASA-4-106100: access-list acl_ID {permitted | denied | est-allowed}

protocol interface_name/source_address(source_port) (idfw_user, sg_info)

interface_name/dest_address(dest_port) (idfw_user, sg_info) hit-cnt number

({first hit | number-second interval}) hash codes

So as per this the source is Test1 interface and going to Destination interface Test.The reason it was denied due to Asymmetric route.

Also from Cisco site

For

example, if an ACK packet is received on the ASA (for which no TCP connection exists in the

connection table), the ASA might generate message 106100, indicating that the packet was

permitted; however, the packet is later correctly dropped because of no matching connection.

so due to above reason the packet was dropped.

Best regards

Mahesh