2009-02-20 08:52:57 Local4.Critical 1 %ASA-2-106001: Inbound TCP connection denied from <SPECIFIC PUBLIC ADDRESS>/80 to <ASA INSIDE HOST>/32622 flags FIN ACK on interface outside
This in not the only line, but ASA INSIDE HOST is always the same. It is mainly TCP connections with specific flags, that ASA is dropping on outside interface (we have also IPS module but connection is not coming to the IPS, it is dropped on outside) but there is also some UDP connection. In Fridey, there was scanning for about two hours.
Also, one a month, all VPNs that is terminated on ASA is dropped, and I need to reload device for VPNs to work again.
Is anybody have some experience with this? Could it be that scanning can be related to VPNs drop?
Error Message %PIX-2-106001: Inbound TCP connection denied from IP_addr/port to
IP_addr/port flags TCP_flags on interface int_name
Explanation This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by your security policy. Possible TCP_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the PIX Firewall, and it was dropped. The TCP_flags in this packet are FIN and ACK.
The TCP_flags are as follows:
-ACK-The acknowledgment number was received.
-FIN-Data was sent.
-PSH-The receiver passed data to the application.
-RST-The connection was reset.
-SYN-Sequence numbers were synchronized to start a connection.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :