Solved

I have an ASA with the following:  What does the following mean?   "Deny TCP (no connection) from/to flags FIN ACK on interface inside"

Posted on 2009-07-15
4
1,178 Views
Last Modified: 2013-11-22
I keep getting the above error.  It is not explicitly denying the packet, but was wondering what the error means.
0
Comment
Question by:NWSBexch
  • 2
4 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24863766
It means basically the TCP packet was sent with something other than the syn flag sent. Therefore the ASAwould check its connection table, no previous connection existed and the packet gets denied.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24863807
But I seen this messege when I used 8.0.4 on 5505 with Oracle communication, after that I downgraded the ASA the problem is discontinued!

Do you have a problem on qour network, or you inquiring?
0
 
LVL 15

Accepted Solution

by:
Voltz-dk earned 500 total points
ID: 24865169
It is a common log.  It's a packet that is received after the connection has been closed down in the ASA.
If you have syslog on informational, you'll see that you receive a Teardown syslog (which also states why it's closed) on the connection in question prior to this deny.
The packet is indeed denied, but it's got FIN flag set so it's part of the graceful connection teardown anyways.
0
 

Author Comment

by:NWSBexch
ID: 24865182
So this is not necessarily a bad thing, but just part of the "tear down" process?
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question