Hey Everyone, I continue to alerts for this log message from the ASA but its not making sense to me. Quick overview. We run a CiscoASA55xx with Firepower services module. I get about 10-20 of these a day.
09 15 2018 06:16:18 firewallip <LOC4:INFO> Sep 15 2018 06:16:18: %ASA-6-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from CTN:"randomip"/443 to Business:"publicip"/5900 locally
I've replaced the true IP's however looking at this message is appears an external IP with a source port of 443 is connecting to our public IP on port 5900/3389/8500.
However when I look in Sourcefire for this random IP the logic is reversed. In Sourcefire is shows that the random external ip and port (443) are the destination. The source IP in sourcefire is our transparent proxy.
I'm confused this this, anyone have any ideas?
No comments:
Post a Comment