Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Teardown followed by two 'Deny' entries in PIX logs

Posted on 2009-04-21
Medium Priority
Last Modified: 2012-05-06

I'm seeing long delays transferring files via FTP. The connection is initiated from the external IP. I'm hoping for some insight into these PIX logs.

Internal address is x.x.x.x
External Address is y.y.y.y
Firewall interface is z.z.z.z

-Firstly, there's an inbound Build operation from the External address to Internal Address.
 3/27/2009 6:00      Friday      6:00 AM - 7:00 AM      z.z.z.z      Built      [message removed]      PIX-6-302013      PIX      6      302013      TCP      y.y.y.y      (empty) x.x.x.x       (empty)      (empty)      22      50559      outside      dmz      50559_tcp

-The connection is closed after 16 mins
27/Mar/2009 06:16:24       z.z.z.z       Teardown       [message removed]       PIX-6-302014       PIX       6       302014       TCP       x.x.x.x       (empty)       y.y.y.y      (empty)       (empty)       50559       22       dmz       outside       22_tcp  TCP Reset-I       

-Then I see two identical DENYs from x.x.x.x to y.y.y.y (same timestamp as the TEARDOWN)
27/Mar/2009 06:16:24       z.z.z.z       Deny       [message removed]       PIX-6-106015       PIX       6       106015       TCP       x.x.x.x       (empty)       y.y.y.y       (empty)       (empty)       50559       22       (empty)       (empty)       22_tcp  RST
27/Mar/2009 06:16:24       z.z.z.z       Deny       [message removed]       PIX-6-106015       PIX       6       106015       TCP       x.x.x.x       (empty)       y.y.y.y       (empty)       (empty)       50559       22       (empty)       (empty)       22_tcp  RST

Is this normal operation? Or is the connection being reset before the FTP transfer has completed?
Question by:sherryfitzgroup
LVL 43

Accepted Solution

JFrederick29 earned 2000 total points
ID: 24203710
By default the Firewall won't tear down a TCP connection unless it is idle for 60 minutes so the Firewall isn't tearing the connection down after 16 minutes before the FTP transfer completes.  The server closed the connection by sending 3 TCP RST's.  The Firewall received the first RST in which it will immediately tears down the connection.   The connection is now torn down and so the other two RST's from the server result in the last two messages (Deny no connection).  This is normal operation.  The Firewall is simply responding to what it is seeing from the servers.

Author Closing Comment

ID: 31572995

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question