https://community.cisco.com/t5/network-security/sync-timeout-in-00-00-30-bytes-0/m-p/4101838#M1070968 <P>Built inbound TCP connection from external 10.26.X.X/56900 to zone116 10.92.Y.Y/22 means the connection has gone through the firewall. by system default the time out for tcp is</P> <PRE><STRONG>timeout conn 1:00:00 half-closed 0:10:00</STRONG> udp 0:02:00 sctp 0:02:00 icmp 0:00:02</PRE> <P>teardown TCP connection log message in this case indicates that the connection timed out because the remote end didnt reply to the attempt of the user to form the TCP 22/ssh connection.</P> <P>&nbsp;</P> <P>Deny TCP (no connection ) from 10.92.Y.Y/22 to 10.26.X.X/56899 flags SYN ACK on interface zone116</P> <P>So for TCP 3 way handshake, it should be as follows:</P> <P>SYN: Outside --&gt; Inside</P> <P>SYN-ACK: Inside --&gt; Outside</P> <P>ACK: Outside --&gt; Inside</P> <P>From the logs, here is instead what happens:</P> <P>SYN: Outside --&gt; Inside</P> <P><STRONG>SYN-ACK: Outside --&gt; Inside</STRONG></P> <P>Hence the ASA is dropping the connection. The SYN-ACK packet is actually received on the outside interface instead of the inside interface as it should be.</P> <P>Here is how it goes:</P> <P>- ASA receives SYN, and place that in the connection table.</P> <P>- If the ASA does not receive the SYN-ACK packets within 30 seconds, it will clear that particular connection.</P> <P>- So if the SYN-ACK packet arrives at the ASA after the default timeout of 30 seconds, you will receive that error message of no TCP connection found.</P> <P>By default, the TCP incomplete timeout is 30 seconds.</P> <P>&nbsp;</P> <P>make sure is the nat rule/acl for the dmz server and the routing in place?</P> <P>&nbsp;</P> <P>hope this help you.</P> <P>&nbsp;</P> Thu, 11 Jun 2020 20:42:08 GMT Sheraz.Salim 2020-06-11T20:42:08Z https://community.cisco.com/t5/network-security/sync-timeout-in-00-00-30-bytes-0/m-p/4101780#M1070965 <P>I have ASA 5585SSP40&nbsp;</P><P>one interface naming external and i have interface having zone116&nbsp;</P><P>ip address 10.26.X.X from interface external want to connect server 10.92.x.x&nbsp; but unable to connect and when i see in the logs it is showing like this&nbsp;</P><P>Deny TCP (no connection ) from&nbsp;10.92.Y.Y/22 to&nbsp; 10.26.X.X/56899&nbsp; flags SYN ACK on interface&nbsp;zone116</P><P>teardown TCP connection for x@ interface:10.26.X.X/56899 to zone 116:10.92.Y.Y/22 duration 00:00:30 bytes 0 sync Timeout</P><P>Built inbound TCP connection from external&nbsp;10.26.X.X/56900 to zone116&nbsp;10.92.Y.Y/22</P> Thu, 11 Jun 2020 19:03:26 GMT https://community.cisco.com/t5/network-security/sync-timeout-in-00-00-30-bytes-0/m-p/4101780#M1070965 jhsdc-it 2020-06-11T19:03:26Z https://community.cisco.com/t5/network-security/sync-timeout-in-00-00-30-bytes-0/m-p/4101838#M1070968 <P>Built inbound TCP connection from external 10.26.X.X/56900 to zone116 10.92.Y.Y/22 means the connection has gone through the firewall. by system default the time out for tcp is</P> <PRE><STRONG>timeout conn 1:00:00 half-closed 0:10:00</STRONG> udp 0:02:00 sctp 0:02:00 icmp 0:00:02</PRE> <P>teardown TCP connection log message in this case indicates that the connection timed out because the remote end didnt reply to the attempt of the user to form the TCP 22/ssh connection.</P> <P>&nbsp;</P> <P>Deny TCP (no connection ) from 10.92.Y.Y/22 to 10.26.X.X/56899 flags SYN ACK on interface zone116</P> <P>So for TCP 3 way handshake, it should be as follows:</P> <P>SYN: Outside --&gt; Inside</P> <P>SYN-ACK: Inside --&gt; Outside</P> <P>ACK: Outside --&gt; Inside</P> <P>From the logs, here is instead what happens:</P> <P>SYN: Outside --&gt; Inside</P> <P><STRONG>SYN-ACK: Outside --&gt; Inside</STRONG></P> <P>Hence the ASA is dropping the connection. The SYN-ACK packet is actually received on the outside interface instead of the inside interface as it should be.</P> <P>Here is how it goes:</P> <P>- ASA receives SYN, and place that in the connection table.</P> <P>- If the ASA does not receive the SYN-ACK packets within 30 seconds, it will clear that particular connection.</P> <P>- So if the SYN-ACK packet arrives at the ASA after the default timeout of 30 seconds, you will receive that error message of no TCP connection found.</P> <P>By default, the TCP incomplete timeout is 30 seconds.</P> <P>&nbsp;</P> <P>make sure is the nat rule/acl for the dmz server and the routing in place?</P> <P>&nbsp;</P> <P>hope this help you.</P> <P>&nbsp;</P> Thu, 11 Jun 2020 20:42:08 GMT https://community.cisco.com/t5/network-security/sync-timeout-in-00-00-30-bytes-0/m-p/4101838#M1070968 Sheraz.Salim 2020-06-11T20:42:08Z