错误日志:

FWSM-1(config)# show log as | in 15.225

6|Aug 31 2012 09:44:36|106015: Deny TCP (no connection) from 10.10.15.225/80 to 14.20.31.233/31073 flags SYN ACK  on interface In-Internal_2

6|Aug 31 2012 09:44:37|106015: Deny TCP (no connection) from 10.10.15.225/80 to 14.20.31.233/31041 flags SYN ACK  on interface In-Internal_2

6|Aug 31 2012 09:44:37|106015: Deny TCP (no connection) from 10.10.15.225/80 to 14.20.31.233/31169 flags SYN ACK  on interface In-Internal_2

6|Aug 31 2012 09:44:37|106015: Deny TCP (no connection) from 10.10.15.225/80 to 14.20.31.233/31105 flags SYN ACK  on interface In-Internal_2

6|Aug 31 2012 09:44:37|106015: Deny TCP (no connection) from 10.10.15.225/80 to 14.20.31.233/31137 flags SYN ACK  on interface In-Internal_2

基本理解:

这个问题是说错误“没有连接”     

出于某些原因,连接到web服务器被关闭。尝试做一个捕获,确定数据流发生问题所在。

FWSM-1(config)# access-list cap_acl permit tcp host 10.10.15.225 any

FWSM-1(config)# access-list cap-acl permit tcp any host 10.10.15.225

FWSM-1(config)# capture cap_traff access-list cap_acl in In-Internal_2

FWSM-1(config)# show capture cap_traff

12 packets seen, 12 packets captured

   1: 10:00:01.1190680460 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57601: S 74049662:74049662(0) ack 2279964660 win 5840

   2: 10:00:01.1190680700 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57633: S 2044127287:2044127287(0) ack 75930879 win 5840

   3: 10:00:04.1190683450 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57601: S 74049662:74049662(0) ack 2279964660 win 5840

   4: 10:00:04.1190683700 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57633: S 2044127287:2044127287(0) ack 75930879 win 5840

   5: 10:00:05.1190684460 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57601: S 74049662:74049662(0) ack 2279964660 win 5840

   6: 10:00:05.1190685060 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57633: S 2044127287:2044127287(0) ack 75930879 win 5840

   7: 10:00:10.1190689460 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57601: S 74049662:74049662(0) ack 2279964660 win 5840

   8: 10:00:10.1190689710 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57633: S 2044127287:2044127287(0) ack 75930879 win 5840

   9: 10:00:11.1190690660 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57601: S 74049662:74049662(0) ack 2279964660 win 5840

  10: 10:00:11.1190691070 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57633: S 2044127287:2044127287(0) ack 75930879 win 5840

  11: 10:00:23.1190702670 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57601: S 74049662:74049662(0) ack 2279964660 win 5840

  12: 10:00:23.1190703070 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57633: S 2044127287:2044127287(0) ack 75930879 win 5840

12 packets shown

分析与结论:

从抓取的日志明显看出3次握手没有建立成功所以,即:

SYN: Outside --> Inside

SYN-ACK: Inside --> Outside

检查Inside --> Outside的路由和80端口是否放通。我的问题所在是上层策略路由给拒绝了。

MFSC-1(config)#ip access-list extended to_2901_port  

MFSC-1(config-ext-nacl)#permit tcp host 10.10.15.225 any eq 80 //故障时做的策略

MFSC-1(config-ext-nacl)#permit tcp host 10.10.15.225 eq 80 any //错误所在,没有放通。

原以为在防火墙上出现有deny的日志变是自身策略或者路由所致,不断排查写的策略和测试。遇到该问题后我得承认以前的观点是错误的。杯具...