07-16-2007 11:05 PM - edited 03-11-2019 03:45 AM
Hi,
Our Pix Firewall is showing unwanted TCP as well as UDP
Connections originating from Outside Interface (Sec level 0)to inside
interface (security level 100)while issuing "sh conn" command. The
things confusing me are :
1. The connectionss are shown coming from Outside Interface (which is
administratively down and whose link is also down) to the inside
interface.
2. The tcp Connections show flag saA for these instances and UDP
Connections are shown without flags.
So, it seems basically as if the Pix Firewall itself is seeing
connections which logically and Physically are not possible (as the
source IP's shown in " show conn " command for these instances come
from Outside interface which is inactive.
Moreover, when "show conn state up" command is used , correct active
connections are displayed .Can anyone explain me this faulty
occurence of intrinsic connections by the Pix Firewall and how can
these be removed.
07-17-2007 12:52 AM
My guess is that it is inside to outside connections that remains in SYN connection state. The saA flag is a typical inside to outside SYN connection.
An outside to inside SYN connection has the flags SaaB.
You can also check the logfile, it should tell you all about these connections.
07-17-2007 03:30 AM
Thanks for your insight on this issue.
But I am certain that the connections are shown coming from outside to inside interface with flag "saA". Real confusion is that the source IP's(shown coming from outside interface) displayed cannot be practically there as the outside interface is admin shut and link to it down.
Can you provide furthur insight on how to clean these unnecessary formed connections ?
07-17-2007 04:03 AM
The connections can't be from the outside because what the flags means is that the firewall has seen an inside SYN and the connection is awaiting outside SYN and outside ACK to SYN.
How do you come to different conclusion? The output from show conn clearly shows that it is a connection originating on the inside if the connection has these flags.
You can use 'clear xlate' to clear connection slots.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: