错误日志:
FWSM-1(config)# show log as | in 15.225
6|Aug 31 2012 09:44:36|106015: Deny TCP (no connection) from 10.10.15.225/80 to 14.20.31.233/31073 flags SYN ACK on interface In-Internal_2
6|Aug 31 2012 09:44:37|106015: Deny TCP (no connection) from 10.10.15.225/80 to 14.20.31.233/31041 flags SYN ACK on interface In-Internal_2
6|Aug 31 2012 09:44:37|106015: Deny TCP (no connection) from 10.10.15.225/80 to 14.20.31.233/31169 flags SYN ACK on interface In-Internal_2
6|Aug 31 2012 09:44:37|106015: Deny TCP (no connection) from 10.10.15.225/80 to 14.20.31.233/31105 flags SYN ACK on interface In-Internal_2
6|Aug 31 2012 09:44:37|106015: Deny TCP (no connection) from 10.10.15.225/80 to 14.20.31.233/31137 flags SYN ACK on interface In-Internal_2
基本理解:
这个问题是说错误“没有连接”
出于某些原因,连接到web服务器被关闭。尝试做一个捕获,确定数据流发生问题所在。
FWSM-1(config)# access-list cap_acl permit tcp host 10.10.15.225 any
FWSM-1(config)# access-list cap-acl permit tcp any host 10.10.15.225
FWSM-1(config)# capture cap_traff access-list cap_acl in In-Internal_2
FWSM-1(config)# show capture cap_traff
12 packets seen, 12 packets captured
1: 10:00:01.1190680460 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57601: S 74049662:74049662(0) ack 2279964660 win 5840
2: 10:00:01.1190680700 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57633: S 2044127287:2044127287(0) ack 75930879 win 5840
3: 10:00:04.1190683450 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57601: S 74049662:74049662(0) ack 2279964660 win 5840
4: 10:00:04.1190683700 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57633: S 2044127287:2044127287(0) ack 75930879 win 5840
5: 10:00:05.1190684460 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57601: S 74049662:74049662(0) ack 2279964660 win 5840
6: 10:00:05.1190685060 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57633: S 2044127287:2044127287(0) ack 75930879 win 5840
7: 10:00:10.1190689460 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57601: S 74049662:74049662(0) ack 2279964660 win 5840
8: 10:00:10.1190689710 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57633: S 2044127287:2044127287(0) ack 75930879 win 5840
9: 10:00:11.1190690660 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57601: S 74049662:74049662(0) ack 2279964660 win 5840
10: 10:00:11.1190691070 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57633: S 2044127287:2044127287(0) ack 75930879 win 5840
11: 10:00:23.1190702670 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57601: S 74049662:74049662(0) ack 2279964660 win 5840
12: 10:00:23.1190703070 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57633: S 2044127287:2044127287(0) ack 75930879 win 5840
12 packets shown
分析与结论:
从抓取的日志明显看出3次握手没有建立成功所以,即:
SYN: Outside --> Inside
SYN-ACK: Inside --> Outside
检查Inside --> Outside的路由和80端口是否放通。我的问题所在是上层策略路由给拒绝了。
MFSC-1(config)#ip access-list extended to_2901_port
MFSC-1(config-ext-nacl)#permit tcp host 10.10.15.225 any eq 80 //故障时做的策略
MFSC-1(config-ext-nacl)#permit tcp host 10.10.15.225 eq 80 any //错误所在,没有放通。
原以为在防火墙上出现有deny的日志变是自身策略或者路由所致,不断排查写的策略和测试。遇到该问题后我得承认以前的观点是错误的。杯具...