Teardown followed by two 'Deny' entries in PIX logs

Posted on 2009-04-21
Last Modified: 2012-05-06

I'm seeing long delays transferring files via FTP. The connection is initiated from the external IP. I'm hoping for some insight into these PIX logs.

Internal address is x.x.x.x
External Address is y.y.y.y
Firewall interface is z.z.z.z

-Firstly, there's an inbound Build operation from the External address to Internal Address.
 3/27/2009 6:00      Friday      6:00 AM - 7:00 AM      z.z.z.z      Built      [message removed]      PIX-6-302013      PIX      6      302013      TCP      y.y.y.y      (empty) x.x.x.x       (empty)      (empty)      22      50559      outside      dmz      50559_tcp

-The connection is closed after 16 mins
27/Mar/2009 06:16:24       z.z.z.z       Teardown       [message removed]       PIX-6-302014       PIX       6       302014       TCP       x.x.x.x       (empty)       y.y.y.y      (empty)       (empty)       50559       22       dmz       outside       22_tcp  TCP Reset-I       

-Then I see two identical DENYs from x.x.x.x to y.y.y.y (same timestamp as the TEARDOWN)
27/Mar/2009 06:16:24       z.z.z.z       Deny       [message removed]       PIX-6-106015       PIX       6       106015       TCP       x.x.x.x       (empty)       y.y.y.y       (empty)       (empty)       50559       22       (empty)       (empty)       22_tcp  RST
27/Mar/2009 06:16:24       z.z.z.z       Deny       [message removed]       PIX-6-106015       PIX       6       106015       TCP       x.x.x.x       (empty)       y.y.y.y       (empty)       (empty)       50559       22       (empty)       (empty)       22_tcp  RST

Is this normal operation? Or is the connection being reset before the FTP transfer has completed?
Question by:sherryfitzgroup
    LVL 43

    Accepted Solution

    By default the Firewall won't tear down a TCP connection unless it is idle for 60 minutes so the Firewall isn't tearing the connection down after 16 minutes before the FTP transfer completes.  The server closed the connection by sending 3 TCP RST's.  The Firewall received the first RST in which it will immediately tears down the connection.   The connection is now torn down and so the other two RST's from the server result in the last two messages (Deny no connection).  This is normal operation.  The Firewall is simply responding to what it is seeing from the servers.
    LVL 2

    Author Closing Comment


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
    Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now