Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Why ASA is dropping Syn/Ack packet from a permited connection by ACL

Hey guys

 

I'm experiencing some kind of weird behavior of my ASA 5520 (8.3.1)

I have a customer that needs to access an inside webserver of mine.

I've created a rule in the proper ACL permitting another range of their address to access the web server.

I can see the syn packet being permitted, acl's counter increases, and... the Syn/Ack being denied by the firewall!!!

Look the log...


6|Sep 17 2014|16:29:29|302013|172.40.36.20|3154|10.171.3.139|80|Built outbound TCP connection 1075586687 for vlan5:10.171.3.139/80 (10.171.3.139/80) to vlan155:172.40.36.20/3154 (172.40.36.20/3154)

2|Sep 17 2014|16:29:29|106001|10.171.3.139|80|172.40.36.20|3154|Inbound TCP connection denied from 10.171.3.139/80 to 172.40.36.20/3154 flags SYN ACK  on interface vlan155

2|Sep 17 2014|16:29:32|106001|10.171.3.139|80|172.40.36.20|3154|Inbound TCP connection denied from 10.171.3.139/80 to 172.40.36.20/3154 flags SYN ACK  on interface vlan155
2|Sep 17 2014|16:29:38|106001|10.171.3.139|80|172.40.36.20|3154|Inbound TCP connection denied from 10.171.3.139/80 to 172.40.36.20/3154 flags SYN ACK  on interface vlan155
 

Also, we don't use NAT for those IP's

 

Anyone?

 

2 REPLIES
New Member

Hi,Can you post the ACL as

Hi,

Can you post the ACL as well ?

Or, may be your ASA is smelling some SYN Flood Attacks from your client and the TCP Intercept is in the business to prevent the 3-Way from completing.

Cheers

HiThanks for helpping! access

Hi

Thanks for helpping!

 access-list vlan155_access_in line 4 extended permit tcp 172.40.36.0 255.255.252.0 host 10.171.3.139 eq www (hitcnt=15)

Cheers

385
Views
0
Helpful
2
Replies
CreatePlease to create content