Cisco ASA 8.2 - 106015 (Deny) and 106100 (Permit) Logs for the Same Packet

logging cisco-asa

I'm seeing traffic from numerous internal endpoints where a RST or FIN/ACK is sent by the endpoint to a host on the Internet. These connections are related with a transparent proxy that is not handling these properly. Instead of dealing with them, it simply forwards them to the ASA. The ASA has never observed these connections before.

The ASA (8.2) sees this traffic and generates a 106015 event (no connection) and denies the traffic. This is precisely what I expect. However, the ASA will also log a 106100 event that states the traffic is permitted. There is an ACE that states "permit ip any any log".

Based on traffic captures, it was confirmed that the traffic was denied and not permitted.

Why is the 106100 event happening then? It's completely thrown us for a loop as it appears that the ASA has allowed traffic when in fact it has not. If the ASA drops the traffic due to lack of existing connection, why would it go anywhere near the ACLs, much less generate a permit log?

Here are the logs in questions:

: %ASA-6-106015: Deny TCP (no connection) from 10.x.x.x/62938 to 216.x.x.x/80 flags FIN ACK  on interface inside

: %ASA-6-106100: access-list inside permitted tcp inside/10.x.x.x(62938) -> outside/216.x.x.x(80) hit-cnt 1 first hit [0x62c4905, 0x0]

Timestamps of the two events are identical.

Any advice would be appreciated, thanks.

Edit: Clarification
According to this Cisco article on packet flow. http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html

"If packet flow does not match an existing connection, then TCP state is verified. If it is a SYN packet or UDP packet, then the connection counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and the event is logged."

Based on this described behavior, I'm still unsure as to why I'm seeing the 106100 log indicating the traffic is permitted.


The ACL is being evaluated before the connection tracking and NAT evaluation (check the output of packet-tracer simulating this traffic), and because the traffic hits that rule, it logs as you've instructed it to in permit ip any any log.

Related

.NET Core console app fails from task scheduler with 0xC0000005
Append URL parameter to request URI using Nginx
Limit exceeded for cluster creation on Azure Kubernetes, where to cleanup?
NTP/Chrony not keeping time synchronized on CentOS 7.9 (VM running on VMware ESXi)
mail Linux command include username along with from address [duplicate]
Effective access doesn't reflect the actual NTFS permissions
Google Cloud Load Balancer + Instance Group + SSL Certificates
Sharing permissions doesn't apply to sub directories as required
How to create an email with embedded images that is compatible with the most mail clients
Why is enquo + !! preferable to substitute + eval
Shell variables set inside while loop not visible outside of it
Azure Service Bus add get requests to queue