https://community.cisco.com/t5/network-security/first-tcp-packet-on-flow-does-not-contain-syn/m-p/2799895#M175210 <P>Hello：</P> <P>microsoft access use sql server native client 11 to connect to sql server. cisco asa drop packets.</P> <P>event log show the reason is first tcp packet on flow does not contain syn.</P> <P>does anyone can help me?</P> <P>thanks</P> <P></P> <P></P> Tue, 12 Mar 2019 06:50:36 GMT weichenyang 2019-03-12T06:50:36Z https://community.cisco.com/t5/network-security/first-tcp-packet-on-flow-does-not-contain-syn/m-p/2799895#M175210 <P>Hello：</P> <P>microsoft access use sql server native client 11 to connect to sql server. cisco asa drop packets.</P> <P>event log show the reason is first tcp packet on flow does not contain syn.</P> <P>does anyone can help me?</P> <P>thanks</P> <P></P> <P></P> Tue, 12 Mar 2019 06:50:36 GMT https://community.cisco.com/t5/network-security/first-tcp-packet-on-flow-does-not-contain-syn/m-p/2799895#M175210 weichenyang 2019-03-12T06:50:36Z https://community.cisco.com/t5/network-security/first-tcp-packet-on-flow-does-not-contain-syn/m-p/2799896#M175212 <P>Hi,</P> <P></P> <P>This can happen if there is assymetric routing in the network.&nbsp;</P> <P></P> <P>Packets for a TCP session should traverse the same ingress and egress interface in order to get processed under same session. Due to assymetric routing the packets can land to differnt interface for a tcp session and firewall will drop it.</P> <P></P> <P>Check if the traffic that is getting denied is hitting the firewall on the correct interface.</P> <P></P> <P>Share your findings.</P> <P>Thanks,</P> <P>R.Seth</P> Fri, 06 Nov 2015 12:59:59 GMT https://community.cisco.com/t5/network-security/first-tcp-packet-on-flow-does-not-contain-syn/m-p/2799896#M175212 Rishabh Seth 2015-11-06T12:59:59Z https://community.cisco.com/t5/network-security/first-tcp-packet-on-flow-does-not-contain-syn/m-p/2799897#M175214 <P>Hi,</P> <P>This is expected behaviour on the firewall. The firewall is a stateful device and it expects the first packet of any TCP connection must have only SYN flag to have value 1 which means the first packet must be a SYN. If the firewall gets any other packet like ACK then it will drop the packet. You have to check your network to see if there is any asymetric routing where request and response takes different path.</P> <P>From the firewall point of view we can do the tcp state bypass which will resolve the issue, but the firewall will not act as a stateful device for this specific traffic.</P> <P>Please refer the below document</P> <P>http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118995-configure-asa-00.html</P> <P>Thanks,</P> <P>Shivapramod M</P> <P></P> Fri, 06 Nov 2015 13:00:50 GMT https://community.cisco.com/t5/network-security/first-tcp-packet-on-flow-does-not-contain-syn/m-p/2799897#M175214 Shivapramod M 2015-11-06T13:00:50Z https://community.cisco.com/t5/network-security/first-tcp-packet-on-flow-does-not-contain-syn/m-p/2799898#M175215 <P>thanks for all!</P> <P>why&nbsp;<SPAN> is assymetric routing in the network? </SPAN></P> <P><SPAN>client in lan, server in dmz. no any network&nbsp;environment changing.</SPAN></P> <P><SPAN>i will keep on checking on monday.</SPAN></P> Sat, 07 Nov 2015 02:07:16 GMT https://community.cisco.com/t5/network-security/first-tcp-packet-on-flow-does-not-contain-syn/m-p/2799898#M175215 weichenyang 2015-11-07T02:07:16Z https://community.cisco.com/t5/network-security/first-tcp-packet-on-flow-does-not-contain-syn/m-p/2799899#M175218 <P>everything is fine except odbc link error and asa web admin error.</P> <P>restart asa, it is ok.</P> <P></P> Mon, 16 Nov 2015 04:48:07 GMT https://community.cisco.com/t5/network-security/first-tcp-packet-on-flow-does-not-contain-syn/m-p/2799899#M175218 weichenyang 2015-11-16T04:48:07Z