Just installed some new ASAs to replace our old 520 PIX boxes and I'm seeing some interesting traffic being denied. The traffic originates from various websites (that our users are accessing without difficulties) and is destined for our proxy server. A sample error is included below. I've changed the proxy server address.
Its strange because obviously no ACL is required in this setup because any traffic coming back to the proxy server should already be part of an existing conversation. It isn't causing operational issues as far as I can tell but I'd like to understand the messages or suppress them so they don't fill my logs up.
Those are most probably in-flight residual packets that are denied because the connection on the ASA is already considered closed - so it is treated as a "new session" and hits the default deny in the ACL.
You can enable the "sysopt connection timewait" to have the ASA linger the deleted connections for a while (20 sec), then the syslogs should be gone.
Indeed this will cause a slight increase in the number of connections as seen by "show conn".
If you prefer, you can verify that my assumption is correct by following:
1) collect two captures on inside + outside
2) correlate the captures with the syslogs to see which exactly packets would be dropped.
What you should see in the captures is the very last packet(s) being denied.
Let me know if you find anything. I've recently gone through the same PIX --> ASA upgrade and I'm seeing the same issue. Getting a ton of denies on ports 80/443/25, but they don't seem to be causing an operational issue.
I did some checking of the addresses that are showing up and I've noticed that most/all seem to be related to ad-tracking/double-click/web tracking type of traffic. I think that has something to do with it...I wonder if some websites generate these secondary connections from advertising servers which come from a different source than the original website?
I get ~ 20 /sec. The my message is 01-04-2008 16:06:21 Local4.Warning pix.xxx.xxxxx.com Jan 04 2008 15:58:39: %PIX-4-106023: Deny tcp src outside:xxx.xxx.xxx.xxx/29977 dst inside:yyy.yyy.yyy.yyy/25 by access-group "OUTSIDE_ACCESS_IN"
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :