Strange ASA logs

I was receiving a lot of syslog messages like this from our ASA 5520 (IPs have been changed to protect the innocent):

Deny TCP (no connection) from 1.1.1.20/4930 to 10.10.10.10/80 flags FIN ACK on interface outside1
Deny TCP (no connection) from 1.1.1.20/4927 to 10.10.10.10/80 flags FIN ACK on interface outside1
Deny TCP (no connection) from 1.1.1.20/4929 to 10.10.10.10/80 flags FIN ACK on interface outside1
Deny TCP (no connection) from 1.1.1.20/4928 to 10.10.10.10/80 flags FIN ACK on interface outside1
Deny TCP (no connection) from 2.2.2.4/59040 to 10.10.10.10/80 flags ACK on interface outside1
Deny TCP (no connection) from 3.3.3.74/1266 to 10.10.10.10/80 flags RST on interface outside1
Deny TCP (no connection) from 1.1.1.20/4931 to 10.10.10.10/80 flags RST on interface outside1
Deny TCP (no connection) from 1.1.1.20/4930 to 10.10.10.10/80 flags FIN ACK on interface outside1
Deny TCP (no connection) from 1.1.1.20/4931 to 10.10.10.10/80 flags FIN ACK on interface outside1
Deny TCP (no connection) from 4.4.4.17/41592 to 10.10.10.10/80 flags ACK on interface outside1

These looked a little strange at first, as they show the ASA denying traffic from outside clients to the public web server. These denies are not related to the firewall access lists; they are packets being dropped because the ASA determines that the connection is invalid.

Some research has made me confident that this is normal behavior for the ASA. As a security device, the ASA is very aggressive in closing TCP connections. Almost immediately upon receiving the first part of a 3-way termination handshake, the ASA will close the TCP communication between client and server. When the other two parts of the handshake come in, it no longer sees them as part of an established communication channel, and thus denies them. This is evident with the FIN ACK, ACK, and RST flags in the log messages. Notice that no SYN, SYN ACK, or FIN flags are being denied.

Just thought I'd drop this here for my own reference and to help out anyone who may be Googling with the same question on a Cisco ASA or PIX. Best references: An understanding of TCP 3-way termination, and this mailing list archive.