Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

TCP Deny(No Connection) from x.x.x.x to y.y.y.y flags FIN ACK on Interface outside

Hi All,

I am recieving palent of these messages on my ASA 5520. After palenty logs there is TCP Deny(No Connection) from x.x.x.x to y.y.y.y flags RST ACK  on Interface outside also showing.

I dont know the reason behind this. Can you please let me know the reason behind such error messages.

Thanks

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: TCP Deny(No Connection) from x.x.x.x to y.y.y.y flags FIN AC

Hi,

The main information that this message tells us is that there was traffic coming from behind the "outside" interface for which there is no existing connection.

The ASA is always expecting the first packet of the TCP connection to be the TCP SYN from the host that tries to open/form the TCP connection.

If some other TCP packets are coming like this TCP RST ACK it presumes that this is packets for an existing connection. It then checks its connection table but doesnt find an existing connection and therefore drops the traffic.

So to me it seems that this log message indicates traffic for a connection that has already been Teardown (removed from connection table) from the ASA and therefore the ASA doesnt let this traffic through.

Typically the ASA Teardown a TCP Connection when it has seen the closing sequence from both of the hosts involved in the TCP connection. For example Client on the LAN and a Web server on the Internet.

The typical sequence after which the connection is closed is when TCP FIN is sent by both the client and the server and both send TCP ACK to eachothers TCP FIN. After the ASA has seen this sequence of messages/packets it Teardown the connection.

Here is some information about TCP connections

http://www.tcpipguide.com/free/t_TCPConnectionTermination-4.htm

In some cases I presume that the host might also send TCP RST but if the connection has already been removed from the ASA the ASA has no reason to allow this packet through.

What you can do naturally is go through your logs and try to find the log messages for the connections where you see the connection forming and then being teardown. I mean try to find the connection forming/closing logs for the messages that you are getting so you can confirm that the ASA has already seen the client/server close the TCP Connection in the normal way by sending the TCP FIN/ACK messages.

You could also take traffic capture on the ASA or a Client on your LAN to see what is actually happening with certain TCP connections.

My own guess would be that these dont really indicate any actual problem. For example I see these constantly when browsing the Internet on my home ASA5505.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

3 REPLIES
Super Bronze

Re: TCP Deny(No Connection) from x.x.x.x to y.y.y.y flags FIN AC

Hi,

The main information that this message tells us is that there was traffic coming from behind the "outside" interface for which there is no existing connection.

The ASA is always expecting the first packet of the TCP connection to be the TCP SYN from the host that tries to open/form the TCP connection.

If some other TCP packets are coming like this TCP RST ACK it presumes that this is packets for an existing connection. It then checks its connection table but doesnt find an existing connection and therefore drops the traffic.

So to me it seems that this log message indicates traffic for a connection that has already been Teardown (removed from connection table) from the ASA and therefore the ASA doesnt let this traffic through.

Typically the ASA Teardown a TCP Connection when it has seen the closing sequence from both of the hosts involved in the TCP connection. For example Client on the LAN and a Web server on the Internet.

The typical sequence after which the connection is closed is when TCP FIN is sent by both the client and the server and both send TCP ACK to eachothers TCP FIN. After the ASA has seen this sequence of messages/packets it Teardown the connection.

Here is some information about TCP connections

http://www.tcpipguide.com/free/t_TCPConnectionTermination-4.htm

In some cases I presume that the host might also send TCP RST but if the connection has already been removed from the ASA the ASA has no reason to allow this packet through.

What you can do naturally is go through your logs and try to find the log messages for the connections where you see the connection forming and then being teardown. I mean try to find the connection forming/closing logs for the messages that you are getting so you can confirm that the ASA has already seen the client/server close the TCP Connection in the normal way by sending the TCP FIN/ACK messages.

You could also take traffic capture on the ASA or a Client on your LAN to see what is actually happening with certain TCP connections.

My own guess would be that these dont really indicate any actual problem. For example I see these constantly when browsing the Internet on my home ASA5505.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

Community Member

TCP Deny(No Connection) from x.x.x.x to y.y.y.y flags FIN ACK on

Hi Jouni,

Thanks a lot for your detailed message.

Thanks

Community Member

Re: TCP Deny(No Connection) from x.x.x.x to y.y.y.y flags FIN ACK on Interface outside

I know this post is old, but just in case people are still looking for another answere.

 

So when you HTTPS (port: 443) to the device either using your web browser or using the ASDM GUI you're going to try to negotiate how you're going to encrypt your traffic. Using SSL or TLS, The ASA I currently use only supports SSLv3 or TLSv1. So if you're web browser is using SSLv1 or SSLv2 you will not be able to connect to your ASA device.

 

1. You initiate the 3 way handshake.

2. After the 3 way, you tell the ASA what you want to talk on ie. SSL or TLS

3. The ASA Acknowledges then verifies that it can talk using your encryption method.

 

If it accepts you will go into the device just fine. If it doesn't like the encryption method you will receive the error you see above.

 

Hope this helps other people.

 

8837
Views
0
Helpful
3
Replies
CreatePlease to create content