PIX error 106015: Deny TCP (no connection) flags PSH ACK
I have a server which is behind a PIX 525 (OS version 6.3(3)). Clients on other segments connect to an application on this server, which is actually HTTP on a non-standard port. The connection always fails and I get the following system log message on the PIX:
106015: Deny TCP (no connection) from 10.219.58.83/35528 to 10.219.126.72/2061 flags PSH ACK on
I found an explanation on cisco.com at the following URL:
Error Message %PIX-6-106015: Deny TCP (no connection) from IP_address/port to
IP_address/port flags tcp_flags on interface interface_name.
Explanation This message is logged when the firewall discards a TCP packet that has no associated connection in the firewall unit's connection table. The firewall looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the firewall discards the packet.
Recommended Action None required unless the firewall receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.
A sniffer was run on the client to capture packet trace when it accesses the server. The TCP 3-way handshake was successfully done. But when the client was asking for data from the server, the client set the PSH bits. As far as I know, the PIX is correctly configured and "permit ip any any" is temporarily configured on the ACLs to troubleshoot the problem.
I'd like to know what's the real cause of the problem? Is it PIX configuration error or is it the app not behaving correctly? Anyone knows a workaround, kindly tell me.
This is another scenario but it's similar to the one I posted earlier. Two interfaces involved in this case; DMZ-A and DMZ-B. DMZ-A is the higher security-level interface. There's a pool of servers on DMZ-A with IP addresses 10.219.126.70 - .78. The client (with IP address 10.219.58.83) initiates HTTP connection to any of the servers on non-standard port and the request originates on DMZ-B. The client application fails.
Below are outputs of "show log" on the PIX:
Deny TCP (no connection) from 10.219.126.70/2061 to 10.219.58.83/56850 flags PSH ACK on interface DMZ-A
Deny TCP (no connection) from 10.219.58.83/64961 to 10.219.126.72/2061 flags PSH ACK on interface DMZ-B
I tried the following commands:
fixup protocol http 2061
The problem persists and following is PIX "show log":
106015: Deny TCP (no connection) from 10.219.58.83/65106 to 10.219.126.78/2061 flags ACK on interface DMZ-B
I'd like to know whether this is an application error or whether there's anything we can do on the PIX to work around the issue?
I'm having the same issue on my 515E running 6.3(5) and I've not yet been able to tell where this is coming from. I understand why the PIX is logging this since it's not in the conn table but the big question is why? I have one Inside, one Outside, and one DMZ interface...and am performing PAT outside.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...