Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Deny tcp (no connection) ???? or less connection

Status
Not open for further replies.

151569

IS-IT--Management
Feb 4, 2006
38
BR
Hello

I need help with my PIX, What this Deny TCP (no connection)?? Searching in Internet, this log show that PIX less connection with server or client, this is true ?

Somebody have idea ?

Thanks.
 
Means Basically the TCP packet was sent with something other than the syn flag sent. Therefore the PIX would check its connection table, no previous connection existed and the packet gets denied.

 
Thank for respond me Network Ghost, in my case the client request my server http through my Pix, server Http respond for client, again client send information for server Http in time show this message log

Dec 10 13:23:31 192.168.0.243 %PIX-6-106015: Deny TCP (no connection) from IP_client/80 to IP_PIX/57226 flags FIN PSH ACK on interface outside

This link have some problem, however solution not work. I try decrease value timeout of half-closed for 0:05:00 ... and nothing !!!


Obs
Two ip are valid.

Tnanks.
 
Are you experiencing any problems? TCP Connections usually dont timeout unless they remain half open or just plain never get a fin packet. So the issue here could be a few things.

ddd.ddd.ddd.ddd == Destination
sss.sss.sss.sss == Source


This is what I suggest

Start a capture on the traffic in question. We want to do this from the source facing interface first:

access-list cap_http permit ip host sss.sss.sss.sss host ddd.ddd.ddd.ddd
access-list cap_http permit ip host ddd.ddd.ddd.ddd host sss.sss.sss.sss
capture cap_acl_http access-list cap_http interface inside buffer 8000


Attempt the traffic that is failing. After that is complete perform a "sh cap cap_acl_http" on the PIX. Copy and save the results.

Do the same on the outside interface. This time the source IP will be the nat'd IP on the outside interface

no cap cap_acl_http
no access-list cap_http permit ip host sss.sss.sss.sss host ddd.ddd.ddd.ddd
no access-list cap_http permit ip host ddd.ddd.ddd.ddd host sss.sss.sss.sss



access-list cap_http permit ip host sss.sss.sss.sss host ddd.ddd.ddd.ddd
access-list cap_http permit ip host ddd.ddd.ddd.ddd host sss.sss.sss.sss
capture cap_acl_http access-list cap_http interface Outside buffer 8000


Scrube the IPs in both captures and post the results.


 
Hello

I make capture of trafic and client and my server
this is result of

In interface dmz
Dec 12 18:00:07 192.168.0.243 %PIX-6-302013: Built inbound TCP connection 1384819 for outside:IP_client/26
21 (IP_client/2621) to dmz:IP_serv_http/80 (201.34.206.66/80)
Dec 12 18:00:40 192.168.0.243 %PIX-6-302014: Teardown TCP connection 1384819 for outside:IP_client/2621 to
dmz:IP_serv_http/80 duration 0:00:32 bytes 1133 TCP Reset-O
Dec 12 18:00:40 192.168.0.243 %PIX-6-302013: Built inbound TCP connection 1385023 for outside:IP_client/26
40 (IP_client/2640) to dmz:IP_serv_http/80 (201.34.206.66/80)
Dec 12 18:01:11 192.168.0.243 %PIX-6-302014: Teardown TCP connection 1385023 for outside:IP_client/2640 to
dmz:IP_serv_http/80 duration 0:00:30 bytes 567 TCP Reset-O

In interface outside.

Dec 12 19:19:02 192.168.0.243 %PIX-6-302013: Built inbound TCP connection 1429700 for outside:ip_client/3130 (ip_client/3130) to dmz:192.168.4.3/80 (ip_VALID_serv_http/80)
Dec 12 19:19:02 192.168.0.243 %PIX-5-304001: ip_client Accessed URL ip_serv_http:/web/clientes.consulta.php?aco=cgc&cod=89706560815
Dec 12 19:19:10 192.168.0.243 %PIX-6-302013: Built inbound TCP connection 1429721 for outside:ip_client/3133 (ip_client/3133) to dmz:192.168.4.3/80 (ip_VALID_serv_http/80)
Dec 12 19:19:10 192.168.0.243 %PIX-5-304001: ip_client Accessed URL ip_serv_http:/web/clientes.atualiza.php?cod=IJSVMP
Dec 12 19:19:20 192.168.0.243 %PIX-6-302013: Built inbound TCP connection 1429742 for outside:ip_client/3137 (ip_client/3137) to dmz:192.168.4.3/80 (ip_VALID_serv_http/80)

192.168.4.3 --> this my server real serv http inside dmz
ip_VALID_serv_http make nat for IP_serv_http(dmz)
|-> 200.xxx.xxx |-> 192.168.4.3

Ok , Do you understand ?

Thanks
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top