Guest

Preview Tool

Cisco Bug: CSCvt77451 - ASA log/syslog message should mention reason for deny when same-security-interface is not present.

Last Modified

Apr 15, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

99.13(2.28)

Description (partial)

Symptom:
Apr2020 08:24:03: %ASA-2-106001: Inbound TCP connection denied from x.x.x.x/36079 to x.x.x.x/6379 flags SYN  on interface Test

According to the ASA routing table both IP addresses will hit the same interface ; the Test interface .

So the ingress and the egress interface will be the same .

Now at the ASA we do not see log clearly mentioning  that is denied due to absence of "same-security-traffic permit intra-interface". 

ASA should mention this clearly in logs for both same-security-traffic inter and intra.

Conditions:
Hairpinning traffic.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.