Solved

Cisco, Firewall, ASA, Odd Behavior

Posted on 2008-10-02
4
2,450 Views
Last Modified: 2008-10-06
I have an App server sitting in a DMZ that talks to a DB server in my inside network.  Most functions work fine, but when I try to run certain reports from the App server the reporting app hangs.  I've noticed that the following log entries show up int the firewall error log, but I'm not entirely sure what they are telling me.  

6|Oct 02 2008|12:55:25|302014|10.2.201.1|5666|10.2.40.30|55051|Teardown TCP connection 349654 for CCHDMZ:10.2.201.1/5666 to inside:10.2.40.30/55051 duration 0:00:00 bytes 2789 TCP FINs
6|Oct 02 2008|12:55:25|302013|10.2.201.1|5666|10.2.40.30|55051|Built outbound TCP connection 349654 for CCHDMZ:10.2.201.1/5666 (10.2.201.1/5666) to inside:10.2.40.30/55051 (10.2.40.30/55051)
6|Oct 02 2008|12:55:20|302014|10.2.201.1|5666|10.2.40.30|55015|Teardown TCP connection 349653 for CCHDMZ:10.2.201.1/5666 to inside:10.2.40.30/55015 duration 0:00:00 bytes 2789 TCP FINs
6|Oct 02 2008|12:55:20|302013|10.2.201.1|5666|10.2.40.30|55015|Built outbound TCP connection 349653 for CCHDMZ:10.2.201.1/5666 (10.2.201.1/5666) to inside:10.2.40.30/55015 (10.2.40.30/55015)
6|Oct 02 2008|12:55:15|106015|10.2.201.1|2891|10.2.40.44|1521|Deny TCP (no connection) from 10.2.201.1/2891 to 10.2.40.44/1521 flags ACK  on interface CCHDMZ
6|Oct 02 2008|12:55:15|106015|10.2.40.44|1521|10.2.201.1|2891|Deny TCP (no connection) from 10.2.40.44/1521 to 10.2.201.1/2891 flags PSH ACK  on interface inside
6|Oct 02 2008|12:55:15|106015|10.2.40.44|1521|10.2.201.1|2891|Deny TCP (no connection) from 10.2.40.44/1521 to 10.2.201.1/2891 flags ACK  on interface inside
6|Oct 02 2008|12:55:15|106015|10.2.40.44|1521|10.2.201.1|2891|Deny TCP (no connection) from 10.2.40.44/1521 to 10.2.201.1/2891 flags PSH ACK  on interface inside
6|Oct 02 2008|12:55:15|302014|10.2.201.1|2891|10.2.40.44|1521|Teardown TCP connection 349647 for CCHDMZ:10.2.201.1/2891 to inside:10.2.40.44/1521 duration 0:00:06 bytes 20381 Flow closed by inspection

The thing that confuses me is that I've opened all traffic between both these servers.  It looks to me like the application might be misbehaving.

Any ideas?
0
Comment
Question by:ruffalocody
  • 2
4 Comments
 
LVL 10

Expert Comment

by:stsonline
ID: 22628626
Working from the bottom (oldest timestamp), the first entry can be ignored.
The next three entries show denied connections from 10.2.40.44 TCP port 1521 to 10.2.201.1 port 2891.
The next entry shows a denied connection back from 10.2.201.1 port 2891 to 10.2.40.44 port 1521.
The next entry shows a session going up from 10.2.201.1 on TCP port 5666 to 10.2.40.30 on port 55015 with session ID 349653. This session is removed on the next line after less than a second.
The final entry shows the same two systems with the same activity but this time from port 5666 to port 55051.

Nothing indicates a misbehaving application - there does seem to be FW rules needed if the CCHDMZ systems need to talk to the inside systems.
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 22628699
You could always just turn off inspection for that port.

policy-map global_policy
 class inspection_default
  no inspect sqlnet

That will definitely take care of the inspection closed issue.
0
 

Author Comment

by:ruffalocody
ID: 22629156
Mike,
Turning off inspection seems to have fixed the problem.  Could you provide me with a little bit of an explanation of the why behind this.  I don't have a very good grasp on the inspection function of the ASA.

Thanks
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 22630995
Here's the document from cisco on the application layer inspection.  
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1347071

Read up on the sqlnet description near the bottom.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now