Solved

I have an ASA with the following:  What does the following mean?   "Deny TCP (no connection) from/to flags FIN ACK on interface inside"

Posted on 2009-07-15
4
1,181 Views
Last Modified: 2013-11-22
I keep getting the above error.  It is not explicitly denying the packet, but was wondering what the error means.
0
Comment
Question by:NWSBexch
  • 2
4 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24863766
It means basically the TCP packet was sent with something other than the syn flag sent. Therefore the ASAwould check its connection table, no previous connection existed and the packet gets denied.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24863807
But I seen this messege when I used 8.0.4 on 5505 with Oracle communication, after that I downgraded the ASA the problem is discontinued!

Do you have a problem on qour network, or you inquiring?
0
 
LVL 15

Accepted Solution

by:
Voltz-dk earned 500 total points
ID: 24865169
It is a common log.  It's a packet that is received after the connection has been closed down in the ASA.
If you have syslog on informational, you'll see that you receive a Teardown syslog (which also states why it's closed) on the connection in question prior to this deny.
The packet is indeed denied, but it's got FIN flag set so it's part of the graceful connection teardown anyways.
0
 

Author Comment

by:NWSBexch
ID: 24865182
So this is not necessarily a bad thing, but just part of the "tear down" process?
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question