topic Hi Damon, in Network Security

packets dropping on the ASA

Damon Day — Tue, 12 Mar 2019 07:04:32 GMT

i have an FTP server we are trying to establish. the configuration is like this

Front end server in the DMZ 172.18.0.2/24 with 172.18.0.1/24 as the gateway which is on the ASA

back end server 10.85.0.54/24

now the way it is supposed to work is the front end receives the connection over SSH on port 22 and then makes a connection to the backend server on tcp/1180. however whats happening is the packets are being denied and dropped at the ASA with the following error

Deny TCP (no connection) from 172.18.0.2/1180 to 10.85.0.54/xxxxx flags SYN ACK on interface DMZ.

what would cause a SYN ACK to drop this way? I believe i have a cisco smartnet contract on this ASA. any help would be greatly appreciated.

thanks!

Any chance you have

Philip D'Ath — Sun, 27 Dec 2015 02:29:17 GMT

Any chance you have asymmetric routing, or a server with two NICs in two of the related subnets?

Hi Damon,

Akshay Rastogi — Sun, 27 Dec 2015 15:09:51 GMT

Hi Damon,

It looks like that the SYN packet leaves one interface however SYN-ACK comes on different interface. Behind which interface you have backend server? If the backend server is on different interface than DMZ then why SYN-ACK received on DMZ. It must be received on the Backend connected ASA interface.

There could be a possibility that the SYN-ACK packet is received on a different interface than the one from where SYN packet left for the server(Asymetric Routing).

Check the routing from the Backend Server side.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.