06-12-2018 09:46 AM - edited 02-21-2020 07:52 AM
I am trouble shooting an issue where I see a lot of return traffic from web browsing getting denied.
I am running an software version 9.6(4).6 with a Firepower module on board.
I originally though it was due to closed (torndown) connections but digging a little further this does not seem to be the case.
I see a entry from the Firepower module asking the ASA to bypass processing, then it is dropped by the deny all ACL.
Jun 12 2018 09:33:16: %ASA-6-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from outside-3:88.157.xxx.11/443 to inside:4.xxx.xxx.14/63916
09:33:16: %ASA-6-106100: access-list outside-3_access_in denied tcp outside-3/88.157.xxx.11(443) -> inside/172.20.xx.90(63916)
I check the PAT table and the connection is still active.
TCP PAT from inside:172.20.xx.90/63916 to outside-3:4.xx.xxx.14/63916 flags ri idle 0:00:09 timeout 0:00:30
What am I missing? Thanks
06-13-2018 04:19 AM
06-13-2018 04:42 AM
is your PAT NAT statement configured for both directions? or uni directional?
can you share the NAT config statement you have?
06-13-2018 12:53 PM - edited 06-13-2018 12:53 PM
I got some wirecaptures today and it appears that firewall is doing its job. This type of traffic (one instance was an ad server and another was spotify traffic) seems to continuously be setting up new TCP sessions.
No retransmits in the capture, just a lot of FIN,FIN-ACK followed by connecting a new TCP session.
Thanks for the help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide