Guest

Preview Tool

Cisco Bug: CSCuj62017 - ASA doesn't RST conn for same sec-level int (resetoutbound/inbound only)

Last Modified

Apr 16, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

100.3(0) 8.4 8.4(4.10) 9.1(2)

Description (partial)

Symptom:
If any TCP traffic is sent to the ASA (not SYN) for which there is no existing connection on the ASA, the ASA should send a reset to the Server if service resetoutbound is enabled (it is enabled by default on all interfaces)
This behavior is observed correctly when the Client and Server are connected to the  ASA interfaces with different Security Levels. However, when they are at Same Security levels, the ASA does not send a Reset to the Server (as incorrectly indicated in the Command Reference);  hence leaving the client and server retransmitting packets until the retransmission max is reached.

Since the same-security connections are treated as inbound regardless of what interface of a same-security pair the connection was established from, the ASA should be right not to send the Reset when service resetoutbound is enabled, however it seems like when you have only service resetinbound enabled (service resetoutbound disabled) the ASA still does not send a Reset to the Server. Only when both service resetoubound and resetinbound are enabled is the Reset sent to the Client in such a scenario with same security-levels.

Scenario 1: Interfaces with different security levels, client-100, Server-20; service resetoutbound enabled

The R,Ack is sent from the ASA to the Server and the Connection is reset on the ASA.

Scenario 2: Interfaces with same security-level; service resetoutbound enabled

The R,Ack is not sent from the ASA to the Server

Scenario 3:Interfaces with same security-level; service resetintbound enabled (resetoutbound disabled)

ASA does not send a reset to the Client.

Scenario 4: Interfaces with same security-level; service resetintbound enabled & resetoutbound enabled

Conditions:
TCP traffic (not SYN) sent to the ASA with no existing connection on the ASA for this traffic

1. Server and Client connected to interfaces with same security level.

2. service resetoutbound should be enabled only (enabled by default)
   or
    service resetinbound enabled only (service resetoutbound disabled)
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.