Feb 28, 2012

What is the reason for the log %ASA-6-106015?

When the ASA receives a packet it checks the conn table and whether a connection entry is found for that packet, it is handled by the Fast Path and bypass the ACLs. It is true for any packet that doesn't require application inspection, otherwise it is handled by session management path or control plane path.


So what if you see the following logs:

Feb 20 2012 08:15:08: %ASA-6-302013: Built outbound TCP connection 7985447 for outside:192.168.0.35/80 (192.168.0.35/80) to inside:10.0.0.20/45494 (192.0.2.20/45494)

Feb 20 2012 08:15:38: %ASA-6-302014: Teardown TCP connection 7985447 for outside:192.168.0.35/80 to inside:10.0.0.20/45494 duration 0:00:30 bytes 0 SYN Timeout
Feb 20 2012 08:15:54: %ASA-6-106015: Deny TCP (no connection) from 192.168.0.35/80 to 192.0.2.20/45494 flags SYN ACK  on interface outside

Feb 10, 2012

Disabling idle timeout for specific traffic

The ASA enforces a timeout for idle connections and the default value is one hour for TCP connections. It helps to save resources and avoid overloads, but it can also crash some applications. We can disable this feature at all, but it is not a good idea as it can impact the firewall performance. Thus the best thing to do when you are running some application which you expect to have idle connections for long time is disabling the idle control for that traffic only. We can do that with Advanced Connection Settings.