Solved

Excessive tcp resends from my ASA

Posted on 2016-10-08
7
27 Views
Last Modified: 2016-11-27
I'm seeing an inordinate amount of tcp denies in my ASA that are not attributable to my access lists.  The logging is over 90% tcp deny with mostly PSH ACK and some ACK and very seldomly FIN.
There doesn't appear to be a network performance degradation, but I am concerned that there is an issue, plus it is filling up my syslog server more rapidly.
I will send a sample log output soon, but I am looking for ASA experts and tcp transaction experts to help me find out what is going on.
Thank you.
0
Comment
Question by:Ted James
  • 4
  • 3
7 Comments
 

Author Comment

by:Ted James
ID: 41835940
Enclosed is a sample log output.  Any Cisco ASA experts out there that could decipher the many tcp deny logs entries (more than usual compared to other ASAs we have)?
logs.docx
0
 
LVL 61

Expert Comment

by:gheist
ID: 41836032
Can you post plain-text log and attach sample pcap file of tcp retries actually happening?
0
 

Author Comment

by:Ted James
ID: 41842342
Unfortunately I don't have capability to do a pcap on that network.  I am relying on logs from ASA only.

Can you tell me in general what is the cause for something like this?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 61

Expert Comment

by:gheist
ID: 41842617
Any TCP stack do resends not receiving acks on time.
For experiment disable SACK/FACK/DACK if linux is there, that should make it more latency sensitive but make more acks and less resends.
0
 

Author Comment

by:Ted James
ID: 41865521
Sorry I have been out of commission for a while.
Does the fact that my ASA is in "transparent" mode that could have an affect on this?
0
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
ID: 41871316
There is some small resends expected under normal network conditions. You need to capture per-connection to see where they come from.
0
 

Author Closing Comment

by:Ted James
ID: 41903591
Thank you!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now