Solved

Cisco, Firewall, ASA, Odd Behavior

Posted on 2008-10-02
4
2,471 Views
Last Modified: 2008-10-06
I have an App server sitting in a DMZ that talks to a DB server in my inside network.  Most functions work fine, but when I try to run certain reports from the App server the reporting app hangs.  I've noticed that the following log entries show up int the firewall error log, but I'm not entirely sure what they are telling me.  

6|Oct 02 2008|12:55:25|302014|10.2.201.1|5666|10.2.40.30|55051|Teardown TCP connection 349654 for CCHDMZ:10.2.201.1/5666 to inside:10.2.40.30/55051 duration 0:00:00 bytes 2789 TCP FINs
6|Oct 02 2008|12:55:25|302013|10.2.201.1|5666|10.2.40.30|55051|Built outbound TCP connection 349654 for CCHDMZ:10.2.201.1/5666 (10.2.201.1/5666) to inside:10.2.40.30/55051 (10.2.40.30/55051)
6|Oct 02 2008|12:55:20|302014|10.2.201.1|5666|10.2.40.30|55015|Teardown TCP connection 349653 for CCHDMZ:10.2.201.1/5666 to inside:10.2.40.30/55015 duration 0:00:00 bytes 2789 TCP FINs
6|Oct 02 2008|12:55:20|302013|10.2.201.1|5666|10.2.40.30|55015|Built outbound TCP connection 349653 for CCHDMZ:10.2.201.1/5666 (10.2.201.1/5666) to inside:10.2.40.30/55015 (10.2.40.30/55015)
6|Oct 02 2008|12:55:15|106015|10.2.201.1|2891|10.2.40.44|1521|Deny TCP (no connection) from 10.2.201.1/2891 to 10.2.40.44/1521 flags ACK  on interface CCHDMZ
6|Oct 02 2008|12:55:15|106015|10.2.40.44|1521|10.2.201.1|2891|Deny TCP (no connection) from 10.2.40.44/1521 to 10.2.201.1/2891 flags PSH ACK  on interface inside
6|Oct 02 2008|12:55:15|106015|10.2.40.44|1521|10.2.201.1|2891|Deny TCP (no connection) from 10.2.40.44/1521 to 10.2.201.1/2891 flags ACK  on interface inside
6|Oct 02 2008|12:55:15|106015|10.2.40.44|1521|10.2.201.1|2891|Deny TCP (no connection) from 10.2.40.44/1521 to 10.2.201.1/2891 flags PSH ACK  on interface inside
6|Oct 02 2008|12:55:15|302014|10.2.201.1|2891|10.2.40.44|1521|Teardown TCP connection 349647 for CCHDMZ:10.2.201.1/2891 to inside:10.2.40.44/1521 duration 0:00:06 bytes 20381 Flow closed by inspection

The thing that confuses me is that I've opened all traffic between both these servers.  It looks to me like the application might be misbehaving.

Any ideas?
0
Comment
Question by:ruffalocody
  • 2
4 Comments
 
LVL 10

Expert Comment

by:stsonline
ID: 22628626
Working from the bottom (oldest timestamp), the first entry can be ignored.
The next three entries show denied connections from 10.2.40.44 TCP port 1521 to 10.2.201.1 port 2891.
The next entry shows a denied connection back from 10.2.201.1 port 2891 to 10.2.40.44 port 1521.
The next entry shows a session going up from 10.2.201.1 on TCP port 5666 to 10.2.40.30 on port 55015 with session ID 349653. This session is removed on the next line after less than a second.
The final entry shows the same two systems with the same activity but this time from port 5666 to port 55051.

Nothing indicates a misbehaving application - there does seem to be FW rules needed if the CCHDMZ systems need to talk to the inside systems.
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 22628699
You could always just turn off inspection for that port.

policy-map global_policy
 class inspection_default
  no inspect sqlnet

That will definitely take care of the inspection closed issue.
0
 

Author Comment

by:ruffalocody
ID: 22629156
Mike,
Turning off inspection seems to have fixed the problem.  Could you provide me with a little bit of an explanation of the why behind this.  I don't have a very good grasp on the inspection function of the ASA.

Thanks
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 22630995
Here's the document from cisco on the application layer inspection.  
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1347071

Read up on the sqlnet description near the bottom.
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question