Solved

I have an ASA with the following:  What does the following mean?   "Deny TCP (no connection) from/to flags FIN ACK on interface inside"

Posted on 2009-07-15
4
1,187 Views
Last Modified: 2013-11-22
I keep getting the above error.  It is not explicitly denying the packet, but was wondering what the error means.
0
Comment
Question by:NWSBexch
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24863766
It means basically the TCP packet was sent with something other than the syn flag sent. Therefore the ASAwould check its connection table, no previous connection existed and the packet gets denied.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24863807
But I seen this messege when I used 8.0.4 on 5505 with Oracle communication, after that I downgraded the ASA the problem is discontinued!

Do you have a problem on qour network, or you inquiring?
0
 
LVL 15

Accepted Solution

by:
Voltz-dk earned 500 total points
ID: 24865169
It is a common log.  It's a packet that is received after the connection has been closed down in the ASA.
If you have syslog on informational, you'll see that you receive a Teardown syslog (which also states why it's closed) on the connection in question prior to this deny.
The packet is indeed denied, but it's got FIN flag set so it's part of the graceful connection teardown anyways.
0
 

Author Comment

by:NWSBexch
ID: 24865182
So this is not necessarily a bad thing, but just part of the "tear down" process?
0

Featured Post

Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question