Cisco adaptive security appliance is dropping packets where SYN flag is not set
Posted
by
Brett Ryan
on Server Fault
See other posts from Server Fault
or by Brett Ryan
Published on 2012-11-14T05:53:58Z
Indexed on
2012/11/18
11:09 UTC
Read the original article
Hit count: 912
We have an apache instance sitting inside our DMZ which is configured to proxy requests to an internal NATed tomcat instance inside our network. It works fine, but then all of a sudden requests from apache to the tomcat instance stop getting through with the following in the apache logs:
[error] (70007)The timeout specified has expired: ajp_ilink_receive() can't receive header
Investigating into the Cisco log viewer reveals the following:
Error Message %ASA-6-106015: Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name. Explanation The adaptive security appliance discarded a TCP packet that has no associated connection in the adaptive security appliance connection table. The adaptive security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the adaptive security appliance discards the packet.
Recommended Action None required unless the adaptive security appliance receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.
All are machines are virtualised using VMware, and by default machines have been using the Intel E1000 emulated NIC. Our network administrator has changed this to a VMXNET3 driver in an attempt to correct the problem, we just have to wait and see if the problem persists as it's an intermittent problem.
Is there something else that could be causing this problem? This isn't the first service where we have had similar issues.
Our apache host is running Ubuntu 11.10 with a kernel version of 3.0.0-17-server. We have also had this issue on RHEL5 (5.8) running kernel 2.6.18-308.16.1.el5, this machine also has the E1000 NIC.
NOTE: I am not a network administrator and am a software architect and analyst programmer responsible for these systems.
© Server Fault or respective owner