Solved

Cisco, Firewall, ASA, Odd Behavior

Posted on 2008-10-02
4
2,463 Views
Last Modified: 2008-10-06
I have an App server sitting in a DMZ that talks to a DB server in my inside network.  Most functions work fine, but when I try to run certain reports from the App server the reporting app hangs.  I've noticed that the following log entries show up int the firewall error log, but I'm not entirely sure what they are telling me.  

6|Oct 02 2008|12:55:25|302014|10.2.201.1|5666|10.2.40.30|55051|Teardown TCP connection 349654 for CCHDMZ:10.2.201.1/5666 to inside:10.2.40.30/55051 duration 0:00:00 bytes 2789 TCP FINs
6|Oct 02 2008|12:55:25|302013|10.2.201.1|5666|10.2.40.30|55051|Built outbound TCP connection 349654 for CCHDMZ:10.2.201.1/5666 (10.2.201.1/5666) to inside:10.2.40.30/55051 (10.2.40.30/55051)
6|Oct 02 2008|12:55:20|302014|10.2.201.1|5666|10.2.40.30|55015|Teardown TCP connection 349653 for CCHDMZ:10.2.201.1/5666 to inside:10.2.40.30/55015 duration 0:00:00 bytes 2789 TCP FINs
6|Oct 02 2008|12:55:20|302013|10.2.201.1|5666|10.2.40.30|55015|Built outbound TCP connection 349653 for CCHDMZ:10.2.201.1/5666 (10.2.201.1/5666) to inside:10.2.40.30/55015 (10.2.40.30/55015)
6|Oct 02 2008|12:55:15|106015|10.2.201.1|2891|10.2.40.44|1521|Deny TCP (no connection) from 10.2.201.1/2891 to 10.2.40.44/1521 flags ACK  on interface CCHDMZ
6|Oct 02 2008|12:55:15|106015|10.2.40.44|1521|10.2.201.1|2891|Deny TCP (no connection) from 10.2.40.44/1521 to 10.2.201.1/2891 flags PSH ACK  on interface inside
6|Oct 02 2008|12:55:15|106015|10.2.40.44|1521|10.2.201.1|2891|Deny TCP (no connection) from 10.2.40.44/1521 to 10.2.201.1/2891 flags ACK  on interface inside
6|Oct 02 2008|12:55:15|106015|10.2.40.44|1521|10.2.201.1|2891|Deny TCP (no connection) from 10.2.40.44/1521 to 10.2.201.1/2891 flags PSH ACK  on interface inside
6|Oct 02 2008|12:55:15|302014|10.2.201.1|2891|10.2.40.44|1521|Teardown TCP connection 349647 for CCHDMZ:10.2.201.1/2891 to inside:10.2.40.44/1521 duration 0:00:06 bytes 20381 Flow closed by inspection

The thing that confuses me is that I've opened all traffic between both these servers.  It looks to me like the application might be misbehaving.

Any ideas?
0
Comment
Question by:ruffalocody
  • 2
4 Comments
 
LVL 10

Expert Comment

by:stsonline
ID: 22628626
Working from the bottom (oldest timestamp), the first entry can be ignored.
The next three entries show denied connections from 10.2.40.44 TCP port 1521 to 10.2.201.1 port 2891.
The next entry shows a denied connection back from 10.2.201.1 port 2891 to 10.2.40.44 port 1521.
The next entry shows a session going up from 10.2.201.1 on TCP port 5666 to 10.2.40.30 on port 55015 with session ID 349653. This session is removed on the next line after less than a second.
The final entry shows the same two systems with the same activity but this time from port 5666 to port 55051.

Nothing indicates a misbehaving application - there does seem to be FW rules needed if the CCHDMZ systems need to talk to the inside systems.
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 22628699
You could always just turn off inspection for that port.

policy-map global_policy
 class inspection_default
  no inspect sqlnet

That will definitely take care of the inspection closed issue.
0
 

Author Comment

by:ruffalocody
ID: 22629156
Mike,
Turning off inspection seems to have fixed the problem.  Could you provide me with a little bit of an explanation of the why behind this.  I don't have a very good grasp on the inspection function of the ASA.

Thanks
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 22630995
Here's the document from cisco on the application layer inspection.  
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1347071

Read up on the sqlnet description near the bottom.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now