Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to see which inspection-rule closes a connection in ASA 5520?

Hi,

I experience that several TCP-connections through my ASA 5520 closes caused by inspection in the ASA. In the logs I find entries like "Flow closed by inspection", but how can I find WHICH inspection-rule that closes the connections? Many of the connections that  are closed uses portnumbers that do not have an inspection-rule.

I am running version 9.1(2).

Best regards,

Thor-Egil

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions

How to see which inspection-rule closes a connection in ASA 5520

Hello,

Okey,

As on the previous post :

Have you disabled the ICMP inspection and test?

Due to

ICMP inspection closes TCP conns with "Flow closed by inspection"

CSCui40499

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
4 REPLIES

How to see which inspection-rule closes a connection in ASA 5520

Hello ,

If you do show service-policy you will see the amount of drops per  inspection engine.

Can you provide us an example of what you are referring to as unused ports?

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

How to see which inspection-rule closes a connection in ASA 5520

Hi,

I have a lot of drops on connections using port tcp/3389 (remote desktop), and I cannot see which inspection-rule that closes these connections?

Here is output from show service-policy:

Global policy:

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: dns _default_dns_map, packet 54168677, drop 448216, reset-drop 0, v6-fail-close 0

      Inspect: ftp, packet 84923, drop 110, reset-drop 0, v6-fail-close 0

      Inspect: ctiqbe, packet 0, drop 0, reset-drop 0, v6-fail-close 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: dcerpc, packet 429732, drop 0, reset-drop 0, v6-fail-close 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: h323 h225 _default_h323_map, packet 1036, drop 0, reset-drop 0, v6-fail-close 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: http, packet 1974971854, drop 0, reset-drop 0, v6-fail-close 0

      Inspect: ils, packet 29699552, drop 0, reset-drop 0, v6-fail-close 0

      Inspect: ipsec-pass-thru _default_ipsec_passthru_map, packet 1078, drop 0, reset-drop 0, v6-fail-close 0

      Inspect: mgcp, packet 1, drop 0, reset-drop 0, v6-fail-close 0

      Inspect: netbios, packet 41451, drop 0, reset-drop 0, v6-fail-close 0

      Inspect: pptp, packet 10101, drop 0, reset-drop 0, v6-fail-close 0

      Inspect: rsh, packet 0, drop 0, reset-drop 0, v6-fail-close 0

      Inspect: rtsp, packet 162941, drop 0, reset-drop 0, v6-fail-close 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: sip , packet 2693, drop 0, reset-drop 0, v6-fail-close 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: skinny , packet 0, drop 0, reset-drop 0, v6-fail-close 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: snmp, packet 16950, drop 0, reset-drop 0, v6-fail-close 0

      Inspect: sqlnet, packet 10, drop 0, reset-drop 0, v6-fail-close 0

      Inspect: sunrpc, packet 19, drop 0, reset-drop 0, v6-fail-close 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: tftp, packet 0, drop 0, reset-drop 0, v6-fail-close 0

      Inspect: xdmcp, packet 0, drop 0, reset-drop 0, v6-fail-close 0

      Inspect: icmp, packet 545248, drop 6039, reset-drop 0, v6-fail-close 0

      Inspect: icmp error, packet 10989, drop 122, reset-drop 0, v6-fail-close 0

    Class-map: global-class

      IPS: card status Up, mode inline fail-open

        packet input 5261295006, packet output 5261310875, drop 2785, reset-drop 14

How to see which inspection-rule closes a connection in ASA 5520

Hello,

Okey,

As on the previous post :

Have you disabled the ICMP inspection and test?

Due to

ICMP inspection closes TCP conns with "Flow closed by inspection"

CSCui40499

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

How to see which inspection-rule closes a connection in ASA 5520

Hi and thanks for your answer,

I have now disabled the icmp-inspection and will test if this solves the problem. I also see that Cisco has released an interim-version 9.1.2(8) that has some inspection-fixes, I will try this version.

Cheers,

Thor-Egil

1742
Views
4
Helpful
4
Replies
CreatePlease login to create content